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GUIDE  FOR  THE  DEVELOPMENT  OP 
SAFETY  ASSESSMENT  REPORT  (SAR) 


I.  INTRODUCTION! 


report  was  developed  by  the  B&D  subcoBaittee  o£  the  AMC  ection 
coamittee  for  system  safety  end  is  intended  to  provide  reseercher,  eombet 
developers,  program  managers,  contractors,  testers,  and  naers,  guidance  to 
develop  a  comprehensive  and  effective  safety  assessment  report  (SAR).  The  SAR 
is  a  formal,  comprehensive  safety  report  that  snmmarises  the  safety  data  that 
has  been  collected  and  evaluated  during  the  life  cycle  of  an  item  (ref  1).  It 
expressec'  the  considered  judgement  of  the  contractor  or  developing  agency 
regarding  the  hasard  potential  of  the  item  and  any  actions  or  precautions  that 
are  recommended  to  minimise  these  hasards  and  to  reduce  the  exposure  of 
personnel  and  equipment  to  them* 

V"' 


II.  RESPONSIBILITIES! 

a.  Materiel  Commanders:  AR  385-16  (ref  2)  requires  that  an  SAR  will  be 
provided  to  the  combat  developer  and  the  operational  tester,  development  test 
agency,  and  other  testing  agencies  at  least  60  days  -before  the  start  of  their 
respective  tests. 

b.  Heads  of  operational  test  (OT)  and  development  test  (DT)  and 
evaluation  agencies,  activities  and  commands: 

1.  Use  the  SAR  information  to  integrate  safety  into  test  planning  and 
procedures  and  for  shipping  and  handling  of  the  system. 

2.  Ensure  that  developmental  testing  will  not  begin  until  an  SAR  has  been 
received,  reviewed,  and  accepted  by  the  test  agency. 


III.  SAFETY  ASSESSMENT  REPORT  FOR  FORMAT  GUUE: 

The  SAR  is  a  formal  summary  of  the  safety  data,  collected  during  the 
4esigu  and  development  of  the  system,  which  provides  a  comprehensive  evaluation 
of  safety  risks  being  assumed  prior  to  test  or  operation  of  a  system  or  at 
contract  completion.  In  it,  the  contractor  or  material  developer  summarises 
the  hasard  potential  of  the  item,  provides  a  risk  assessment  and  recommends 
procedures  or  other  corrective  actions  to  reduce  these  hazards  to  an  acceptable 
level. 


1.  INTRQpygTIQH,; 

STATE  THE  PURPOSE  OF  THE  SAFETY  ASSESSMENT  REPORT. 

The  purpose  of  the  SAR  is  to  provide  a  comprehensive  evaluation  of  the 
safety  risks  being  assumed  prior  to  test  or  operation  of  the  system  or  at 
contract  completion.  It  should  identify  all  safety  features  of  the  hardware 
and  system  design  and  procedural  hazards  that  may  be  present  in  the  system 
being  acquired.  It  should  include,  specific  procedural  controls  and 
precautions  that  should  be  followed. 
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2.  aiBTK  nnscaiPTiQii.  Develop  by  reference  other  program  apecificationa  aucb 
aa  taehnical  manuala,  ayatem  aafety  program  plana*  apecificationa,  etc.,  aa 
applicable  and: 

a*  State  purpoae  and  intended  uae  of  item* 

the  deacription  of  the  ayatem  ahould  begin  with  ita  intended  uae  and  the 
niajiom  that  it  ia  reqiured  to  accompliah. 

b.  Give  background  information  on  development  of  item. 

Provide  an  hiatorical  aummary  of  the  ayatem* a  development. 

c.  Deacribe  the  item  fully. 

Include  name,  type,  model  number,  preaence  of  any  radioactive  aource, 
general  pbyaical  featurea  including  alae.  weight,  payload,  and  apecific 
operational  featurea.  Deacribe  major  aubayatemt  and  componenta. 

d.  Deacribe  fully  and  ayatem  that  will  be  teated  along  with  the  item. 

For  example,  a  weapona  ayatem  may  need  to  be  teated  while  mounted  on  a 
apecific  vehicle.  While  the  vehicle  may  already  be  a  fielded  item,  ita 
interface  with  the  weapona  ayatem  needa  to  be  evaluated. 

e«  Provide  photoa,  charta,  flow  diagrama,  or  achematica  to  aupport  the 
ayatem  deacription,  teat  or  operation. 


3.  mm  OrSRATlPHS; 

a.  Preaent  a  complete  aequence  of  ayatem  operationa  cod  emphaaite  the 
aafety  featurea. 

A  ayatem  is  designed,  manufactured,  and  maintained  to  accomplish  a 
specific  mission.  It  has  certain  characteristics  and  limitations  within  which 
it  will  function  properly.  Procedures  which  should  be  followed  in  sequence  for 
safe  operation  ahould  be  spelled  out  so  that  important  steps  are  not  by-passed. 
Hasardous  operations  should  be  conducted  only  in  designated  areas.  Only 
essential  personnel  ahould  be  permitted  within  the  haxard  area  during  a 
specific  operation.  Personnel  and  organisations  should  be  notified  before  the 
operation  is  begun.  Escape  routes  should  be  clearly  designated. 

b.  List  and  deacribe  fully  any  special  procedures  needed  to  assure  safe 
operati'>ns,  including  emergency  procedures. 

For  example,  misfire/hangf ire/cook-off  procedures  or  warnings  should  be 
emphasised  for  all  weapons,  as  well  as  load/stow/reload  procedures  for  the 
smoke  grenade  and  associated  launchers. 

c.  Describe  operating  environments  and  specific  skills  for  safe 

operation,  maintenance,  or  disposal. 
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d.  Describe  apccial  facility  raquiraaianta  or  paraonal  aquipaant  to 
aupport/ Optra ta  tha  ayataa. 

For  caaapla»  fire  auppraaaion  ayataa.  cliaata  contvol*  Yantilation,  aar  or 
aya  protactioo,  glovaa,  clothing,  ate. 


4.  fijjrtTY  ncjamiHC; 

a.  Include  all  ayataa  aaxaty  data  and  include  contractor  aafaty  data 
davalopad  during  daaign  and  davalopaent  phaaaa. 

Tha  ayataa  aafaty  anginaaring  procaaa  aay  begin  with  known  pravioua 
azparianca  and  knowledge.  Tha  laaaona  learned  froa  pravioua  ayataa 

devalopawnta  ahould  be  aade  available  for  the  haaard  analyaia.  Other  data 
available  froa  coaaon  reaource  banka  aucb  aa  govarnaMnt  defanaa  and  induatry 
abould  be  eonaidered.  Accident  and  incident  data  abould  be  aurvayed  for  coaaon 
typea  of  aafaty  baaarda. 

Aa  long  aa  baaarda  exiat,  there  ia  the  poaaibility,  no  matter  how 
improbable,  that  an  accident  will  occur.  Accidenta  are  poaaible  when  the 

ayataa  or  ita  coaponenta  are  being  taated  during  derelopaent.  However,  teata 
are  uaually  carried  out  by  highly  trained  peraonnel  who  are  alert  to  the 
poaaibility  that  failurea  at  that  atage  are  likely.  But  wnen  the  ayataa 

becoaea  operational,  the  operational  peraonnel  nay  be  leai;  skilled, 
knowledgeable,  or  capable  of  aeeting  eaergenciea.  Deaignera  auat  therefore 
aaauae  that  in  the  handa  of  the  ultiaate  uaer,  the  probability  of  accidenta  ia 
greater. 

b.  Show  analyaea  and  teata  performed  to  point  out  haaardoua  conditiona  in 
the  item. 

Basard  analyaea  are  the  heart  of  the  ayatea  aafety  evaluation.  The  typea 
of  analyaea  that  were  performed  auat  be  stated  in  this  section  and  the  purpose 
must  be  clearly  defined.  Since  there  are  aany  types  of  hasard  analyses,  a 
specific  attempt  to  understand  the  system  and  the  need  to  perform  unique  types 
of  analyses  should  be  made. 

An  explanation  and  instru.  tions  on  the  development  of  haaard  analyses  are 
included  in  Appendix  C  of  this  report.  They  Include  preliminary  haaard 
analysis  (PHA),  subsystem  haaard  analysis  (8SHA),  and  fault  tree 
analysis  (FTA). 

(1)  Show  haaard  severity  and  the  effect  of  hasards  on  system  operation 
and  aission. 

Haaard  severity  and  probability  of  occurrence  should  be  categorised  in 
accordance  with  procedures  in  paragraphs  4.5.1  and  4.5>2  of  M1L-STD-882B.  A 
reproduction  of  these  tables  are  included  in  Appendix  C  of  this  report. 

(2)  Explain  system  interfaces  and  associated  safety  implications. 

The  human/machine/haaards  need  to  be  examined  and  all  of  the  system's 
interfaces  should  be  pointed  out.  Understanding  the  need  for  a  complete 
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•valuation  of  haaarda  to  aaaura  that  eontrola  ara  conaidtrad  in  tha  PBA,  iu 
vital.  Syatan  dafinition  will  initialy  raault  in  a  auitabla  general  design. 
It  ia  understood  that  all  haaarda  nay  not  be  recognised  at  this  tine.  However, 
this  analysis  should  be  continuously  upgraded  as  the  developnent  phase 
progresses.  Catastrophic  hasards  should  be  considered  as  a  source  of  fault 
tree  analysis  so  that  the  events  leading  to  the  undesired  event  can  be  traced. 

(3)  Show  the  results  of  hasard  analysis  validation  tests. 

The  nethod  by  which  safety  controls  are  brought  into  existence  must  be 
stated  in  a  clear,  positive  policy.  It  will  be  necessary  to  verify  that  the 
particular  design  neets  the  safety  requirenenti  specified.  A  safety  test 
■atrix  which  identifies  the  particular  areas  that  were  tested,  along  with  the 
results  and  actions  to  abate  the  hasards  should  be  present. 

c.  Include  surface  danger  sone  data  and  other  range  safety  data  for 
weapons  or  explosive  items  and  sources  of  nonionixing/ ionising  radiation. 

This  section  encompasses  a  vide  variety  of  possible  safety  hasards  which 
may  or  may  not  be  an  integral  part  of  the  system.  If  the  system  relates  to  any 
of  the  above,  the  information  must  be  included.  The  following  data  needs  to  be 
considered: 

(1)  General  range  control  precautions,  instructions,  and  danger  sones 
necessary  in  the  firing  and  other  use  of  ammunition  and  explosives  in  all  types 
of  test  operations  utilising  water,  airspace,  and  assigned  land  areas. 

(2)  Lasers  are  an  example  of  nonionising  radiation.  Three  aspects  of 
laser  application  which  influence  the  total  hasard  evaluation  are  the  laser 
system  capability  of  injuring  personnel,  the  environment  in  which  the  laser  is 
used,  and  the  personnel  who  operate  the  laser  and  th.?  personnel  who  may  be 

exposed. 

(3)  Any  ionic iug  radiation  hasards  that  may  be  preaent  within  the  system 
or  as  the  result  o^  operating  or  maintaining  the  system,  must  be  identified. 
Methods  of  safe  guards  need  to  be  communicated. 

d.  When  the  developer  states  that  the  test  presents  no  hasard,  include 
the  basis  for  this  decision  and  supporting  evidence. 

In  most  cases  some  form  of  hasard  analysis  should  be  performed  before 
determining  chat  no  hasards  exist.  It  is  not  enough  to  compare  the  system  in 
question  to  some  other  system  that  was  previously  fielded.  Copies  of  all 
analyses  and  test  reports  should  be  included  as  evidence. 

e.  Health  hasards  (per  AMC  Suppl  1  to  AR  385-16) 

(1)  Addres''  any  known  or  potential  health  hasards  to  test  participants  as 
a  result  of  the  design  or  use  of  the  system. 

(2)  Include  results  (attach  if  available)  of  m'.ndatory  health  hazards 
studies  made  by  medical  agencies  ( AR  40-10).  Also  include  results  of  medical 
research  or  consultations  made  to  clarify  the  nature  and  degree  of  the  hazard 
to  user  personnel. 


iMBiples  vould  include  tests  for  tcotic  (as  concentrations!  noise  levels 
(including  inpulse  as  well  as  steady  state)!  and  radiation  neasurenents. 

c.  Indicate  whether  the  restrictions  for  hunan  use  volunteers  (AR  70-‘35) 
apply. 


s.  flacLpaioHa  am  mcommmpaiiobs; 

a.  state  whether  the  systan  is  conpletely  safe  for  testing  or  whether  it 
is  safe  for  testing  with  exceptions. 

It  should  he  reneid>ered  that  test  personnel »  both  during  development 
testing  and  operational  testing,  must  operate!  fire!  evaluate,  etc.,  the 
materiel  to  be  tested  and  it  is  necessary  for  their  safety  and  the  safety  of 
military  personnel  who  will  later  use  the  syotems,  that  they  understand  all  of 
the  peculiarities  of  the  system.  It  is  in  this  section  that  all  known  or 
suspected  hasards  need  to  be  suonarised  along  with  safe  guards  needed  to 
protect  users  against  serious  injury  or  loss  of  the  system. 

b.  List  exceptions  for  all  real  and  potential  hasards  that  may  be 
encountered.  Make  specific  safety  recommendations .  to  ens'ire  the  safety  of 
personnel  and  preservation  of  materiel  and  property. 

(1)  Related  hasards  should  be  claaaed  as  expected  to  occur  under  normal 
or  abnormal  operating  conditions. 

(2)  Explosive,  electrical,  mechanical,  health,  radiological,  and 
composite  hasards  should  be  covered, 

u.  Highlight  any  known  safety  or  health  problems  that  will  require 
further  investigation  during  testing. 


6.  MarttEHCES; 

List  references  such  as  test  reports,  preliminary  operating  manuals, 
maintenance  manuals,  and  health  hasard  studies. 


7.  EieHAm  RE, -BLOCKS; 

The  SAR  should  be  signed  as  stated  below: 

Prepared  by; _ Date. 

Concurred  by: _ ^Late. 

I 

Approved  by: _ ^Date. 
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APPENDIX  A  -  REFERENCES 
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APPENDIX  B  -  SAFETY  ASSESSMENT  REPORT  (D1>SAFT-80102) 


1.  IntcoAoccion. 

a*  Stata  purpoaa  of  the  safety  asaessBent  report. 

b.  Give  short  auanary. 

c.  Provide  an  operational  scenario  description  and  ana'iysis  of  hasards 
peceliar  to  the  operational  environment. 

2.  System  description. 

a.  State  purpose  and  intended  use  of  item. 

b.  Give  background  information  on  development  of  item. 

c»  Describe  the  item  fully,  include  name,  type,  model  ntasber,  presence  of 
any  radioactive  source,  general  physical  features,  and  specif ice  operational 
features. 

d.  Describe  fully  any  system  that  will  be  tested  along  with  the  item. 

3.  System  operations. 

a.  Present  a  complete  sequence  of  system  operations.  Emphasise  the  safety 
features. 

b.  Lest  and  describe  fully  and  special  procedures  needed  to  assure  safe 
operations. 

4.  Safety  engineering. 

a.  Include  all  system  safety  data  and  include  contractor  safety  data 
developed  during  design  and  developmertt  phases. 

b.  Show  analyses  and  tests  performed  to  point  out  hazardous  conditions  in 
the  item. 


(1)  Show  hazard  severity  and  probability  of  occurrence  (MU  STD  882),  if 
applicable,  and  the  effect  of  hasards  on  system  operation  and  mission. 

(2)  Explain  system  interface  and  associated  safety  implications. 

(3)  Show  results  of  hazard  analysis  validation  tests. 

c.  Include  surface  danger  zone  data  and  other  range  safety  data  for 
weapoi  <1  or  explosive  items  and  sources  of  nonionizing/ ionizing  radiation. 

d.  When  the  developer  states  that  the  test  presents  no  hazard,  include  the 
basis  for  this  decision  and  the  supporting  evidence. 
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e.  Addresc  any  kaovn  or  potential  health  hazards  to  test  participants  as  a 
result  of  the  design  or  use  of  the  system.  Attach  0TS6  Health  Hazard 
Assessment  (AR  40**10) . 

5.  Conclusions  and  recommendations* 

a.  State  vhethvt  the  system  is  completely  safe  for  testing  or  whether  it 
it  safe  for  testing  with  exceptions. 

b.  List  exceptions  Cor  all  real  and  potential  hazards  that  may  be 
encountered.  Make  specific  safety  recommendations  to  insure  the  safety  of 
personnel  and  preservation  of  materiel  and  property. 

(1)  Related  hazards  should  be  classed  as  expected  to  occur  under  normal  or 
abnormal  operating  conditions. 

(2)  Explosive,  electrical,  mechanical,  health,  radiological,  and 
composite-type  hazards  should  also  be  covered. 

c.  Highlight  any  known  safety  or  health  problems  that  will  require  further 
investigation  during  testing. 

6.  References.  List  references  such  as  test  reports,  preliminary  operating 
manuals,  maintenance  manuals,  and  health  hazard  studies. 

Prepared  by: _  Date 

Concurred  in  by;. _ Date 

Approved  bv;  Date 
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APPENDIX  C  -  SYSTEM  SAFETY  ANALYSIS 


Starting  in  baiic  research  (6.1)  the  developer  and  contractor  should 
perfora  various  factory,  laboratory,  and  proving  ground  tests  of  parta, 
coaipoBcats,  and  subsysteas,  using  "breadboard"  or  "brassboard"  configuration. 

Yrea  the  begining,  the  system  shall  be  designed,  in  a  timely  and  cost 
effective  manner,  to  eliminate  all  potential  and  actual  safety  and  health 
hasards.  These  hasards  shall  be  identified  and  evaluated  in  accordance  with 
hazards  evaluation  techniques  as  spelled  out  in  MIL-8TD-882B.  These  techniques 
shall  include,  but  not  be  limited  to  the  following: 
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PrtliiBlniry  Wtrard  Anilvtit  (PHA^ 


A  Prtllnlnary  Hazard  /Uialytlt  la  an  Inductive  process  which 
should  be  conducted  early  In  the  design  phase  of  the  system  life 
cycle  to  Identify  In  broad  or  grots  terms  the  potential  hazards 
associated  with  the  postulated  operational  concept.  Tho  analysis 
Is  a  comprehensive,  qualitative,  evaluation  of  the  system  which 
considers  the  system  from  the  viewpoint  of  Its  operational 
env1.^.«ient.  As  potentially  hazardous  operations,  materials,  and 
deslm  ere  Identified,  ^1s  information  should  be  used  In  the 
developmont  of  safety  criteria  to  be  Imposed  In  the 
performance/deslgn  specifications.  The  Preliminary  Hazard 
Analysis,  therefore,  becomes  a  necessary  system  safety  program 
element  to  provide  assurance  that  the  system  safety  requirements 
hecofiie  an  Integral  part  of  .the  overall  technical  design 
t*equ1rements. 

The  Preliminary  Hazard  Analysis  should  Include,  but  not  be 
limited  to,  the  following  activities: 

o  A  review  of  pertinent  historical  safety  experience  data. 

e  A  categorized  listing  of  basic  hazard  sources  Including  ar 
identification  of  possible  causes  In  each  category. 

0  An  Investigation  of  the  various  sources  to  determine  the 
provisions  which  have  been  developed  for  their  control. 

•  Identification  of  hmrds  sources  for  which  Inadequate 

control  has  been  provided  In  the  proposed  design/procedures. 

e  The  provision  of  specific  safety  requirements/criteria  which 
should  be  Incorporated  Into  the  program  documentation  to 
assure  control  of  the  sources  which  present  unacceptable 
hazard  levels. 

The  following  activities,  areas,  conditions  should  be  considered 
when  performing  the  PHA-: 

1)  Hazardous  components 

a  Hazardous  materials 

•  Energy  sources 

f  Fluids  and  oils 

a  Off-property  sources 

a  Pressure  systems 

2)  Safety  related  Interface  considerations  among  various 
elements 

a  EMI 

a  Inadvertent  activation 

a  Fire/explosive  Initiation  and  propagation 
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3)  Envlronmtntal  constraints 

•  Ttffptraturt  txtrsMS 

•  Shock 

•  Holst  and  haalth  hazards 
t  X-Rays 

4)  Construction  constraints 

In  addition  to  aany  of  tha  anvlronnental  constraints  are 


Transportation 
Installation 
Util 1 tits 
OSHA 

Lastr  radiation 


5)  Optrating.  tost  and  Mlntananct  proctdurts 

t  Layout  and  lighting 

t  Crash  saftty 

t  Egress  and  rescue 

6)  Fac111t1es«  support  equipment  and  training 

e  Codes  and  standards 

e  Certification 

e  Storage,  assembly  and  checkout 

7)  Safety  related  equipment,  safeguards 

e  Interlocks 

e  Redundancy 

e  Fall  safe  design 

e  Fire  suppression  systems 

e  Personnel  protective  equipment 
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In  Contract  No. 
k^lng  gtrfonatd. 

In  Contractor 
mponstbU  fori 


ontor  thi  contract  nwibar  for  which  PHA  is 


nnttr  tho  nana  of  tha  Contractor 


In  PHA  Nc.  .  tnxar  tha  FNA  Nunbar  whlca  shall  ba  codad  and 

soquantlallY  nunbarad  V  aach  Contractor  for  aach*  tystaii.  This  coding 
stquanca  will  ba  utlllzad  for  all  ralatad  analysis. 


In  Ravi  Sion  No.  .  . 

latast  status. 

In  Subsystam 

as  brokan  out  from  tha  systam. 


antar  tha  ravltlon  nunbar  to  Indicata  the 


.•  antar  tha  nonancUtura  of  tha  subsystem 


In  Systam 
systam. 


antar  tha  noa»nc1aturr  of  the  applicable 


In  Drawing  No.  .  enter  tha  drawing  nunbar  of  the  drawing  on  which 

tha  subsystam  Is  indicatad. 


In  Praparad  by 
and  enter  the  d 


Data  •  tha  praparar  will  sign 

nplatlon  on  aach  sheet  of  tha  analysis. 


In  Reviewed  by  Date  .  tha  reviewer  will  sign 

and  antar  the  date  or  review  on  each  sheet  or  the  analytic* 

In  Approved  bv  Date  .  the  Contractors^  Project 

Manager  will  sign  to  approve  and  enter  the  date  of  approval  on  each  sheet 
of  r-alysis. 

In  (1)  Function  Description  A  No.,  enter  the  reference  number  and  a  brief 
functional  description  of  the  subsystem  under  analysis. 

In  (2)  System  Mode,  enter  the  state  of  the  system,  at  the  time  of  the 
failure  mode  or  condition. 

In  (3)  Hazard  Description,  enter  the  nature  of  hazard  condition 

Introduced  by  the  failure  of  the  subsystem. 

In  (4)  Potential  Cause,  enter  the  most  likely  primary  and  secondary 

causes  of  the  hazard  condition. 

In  (5)  Effect  on  Subsystem/Interfacing  Subsystems,  enter  a  brief 
description  of  the  hazard  condition  effect(s)  on  the  subsystem  and  other 
Interfacing  subsystems. 


PRELIMINARY  HAZARD  ANALYSIS  (PHA) 


(cont'd) 


Inttructions  for  CoroUtlna 

In  (S)  Hmrd  Cattgof7»  tntnr  tht  h.ghtst  applicable  hazard  class  In 
accordance  with  MI L-ST0-iiB2B. 

In  (7)  Redes Ign/Control  ReoiarkSt  enter  a  brief  description  of  the 
redesign/ control /corrective  act1on(s}  necessary  for  the  hazard  condition 
being  analyzed.  Enter  naine(s)  cf  related  analysis  and  reference  nuinber(s) 
and  which  approach  Is  being  proposed  •  Design  Change,  Procedures,  Special 
Training,  etc. 


1 

i 

3 
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SYSTEM  HA2AM)  AKALYSIS  (SHA) 

Imtnictiont  for  cowplatInQ 

In  Contract  Ho.  .  onttr  tin  contract  ntwbtr  for  which  SHA  1$  being 

ptrfoniid. 

In  Contractor  .  onttr  tho  mm  of  the  Contractor  rasponsible 

for  tho  SHA.  - 

In  SHA  No.  .  onttr  tho  SHA  nunbor  which  iholl  bo  coded  end 

loquontlallv  numborto  by  ooch  Contractor  for  ooch  tyston.  This  coding 
soquonco  win  bo  utilizod  for  oil  rolatod  prodictions  end  ontlysis. 

In  Hovislon  No.  .  ontor  tho  ravlslon  nunbor  to  indicoto  the 

latest  status. 

In  Systoir.  enter  tho  nononclaturo  of  tho  applicable  system. 

In  Drawing  No.  .  enter  tho  drawing  nunbor  of  tho  drawing  on  which 

tho  subfunction  is  indicated. 

In  Interfacing  System  •  ohtor  tho  nomenclature  of  the 

applicable  Interfacing  system. 

In  Prepared  by  Date  ,  the  preparer  will  sign  and 

enter  the  date  or  issue  or  completion  on  each  sheet  of  the  analysis. 

In  Reviewed  by  Date  .  the  reviewer  will  slin  and  enter 

the  date  of  Issue  or  completion  oneacFT  sheet  of  the  analysis. 

In  Approved  by  Date  ,  the  Contractor's  Project 

Manar^r  will  sign  to  approve  and  enter  the  date  of  approval  on  each  sheet 
of  analysis. 

In  (1)  Hazard  Description,  'enter  the  nature  of  hazard  condition 

Introduced  by  the  failure  of  the  system. 

In  (2)  System  Mode,  enter  the  state  of  the  system.  Instance  before  the 
failure  mode  or  condition. 

In  (3)  Potential  Cause,  enter  the  most  likely  primary  and  secondary 

causes  of  the  hazard  condition. 

In  (4)  Effect(s)  on  System,  enter  a  brief  description  of  the,  hazard 

condition  effect(s)  on  the  system. 

In  (5)  Effect(s)  on  Interfacing  Sy$tem(5),  enter  a  brief  description  of, 
the  hazard  condition  effect(s)  on  the  Interfacing  system(s). 
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SYSTEM  HA2AM)  ANALYSIS  (SHA) 
Initructiont  for  cowoUtlno 


(cont'd) 


In  (6)  Intarfteing  Parunttrt.  anttr  tht  paraiatttra  rttpontlblt  for  the 
Inttrfactlon  of  tht  tystto  with  othtr  tyttom* 

In  (7)  Hazard  Cattoory,  tnttr  tht  hlghtat  appllcabit  hazard  class  In 
accordanct  with  MlL*SfD»M2B4 

In  (8)  Radtslgn/Control  Actions*  tnttr  a  btitf  dtscrlptlon  of  the 
rtdaslgn/control/corrtctlvt  actlenU)  ntctssary  for  tht  hazard  condition 
bting  analyztd.  Cnttr  naM(s)  of  ralattd  analysis  and  rtftrtnct  nutbtr(sK 
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Optratlno  t  Support  H>»ard  Anilytit  f{0  4  S)  HA*^ 


Tht  purpose  of  tht  (0  I  S)  HA  Is  to  Identify  end  anslyxe  hazards 
associated  with  personnel  and  procedures  during  production » 
testing,  installation,  training,  escape  and  operations. 

The  (0  A  S)  HA  Is  nomally  conducted  on  all  Identified  hazards 
Involved  with  tasks  with  san/iiachlne  Interfaces.  When  the  (0  i 
S)  HA  Indicates  a  potential  problen.  It  should  be  make  known  to 
the  responsible  engineer  In  order  to  Initiate  a  design  review  or 
a  systeii  safety  working  group  action  Item.  The  (0  I  S)  HA  should 
be  reviewed  on  a  continuous  basis  to  ensure  that  design 
modifications,  procedures,  testing,  etc.,  do  not  create  hazardous 
conditions. 

The  (0  A  S)  HA  helps  ensure  that  corrective  or  preventive 
measures  will  be  taken  to  minimize  the  possibility  that  any  human 
error  procedure  will  result  In  Injury  or  system  damage.  The 
(0  A  S)  HA  provides  Inputs  for  reconaendatlons  for  changes  or 
Improvements  In  design  or  procedures  to  Improve  efficiency  and 
safety,  development  of  warning  and  caution  notes 'to  be  Included 
In  manuals  and  procedures,  and  the  requirement  of  special 
training  of  personnel  who  carry  out  the  operation  and  maintenance 
of  the  system. 

A  well -documented  analysis  shows  compliance  with  the  specified 
system  safety  and  operational  requirements. 


The  SSHA  It  tn  inductive  procett  which*  In  effect,  it  an 
expantlon  of*  with  Increated  complexity  over*  the  Preliminary 
Hatard  Analytit.  The  completion  of  thit  analytit  will  normally 
occur  during  the  detign  phate  and  prior  to  the  detign  freeze  (In 
a  tyttem  development*  prior  to  COR).  Thit  occurt  when  the  actual 
tytUia  detign  hat  been  refined  to  the  point  where  the  detailed 
Inforaatlon  It  available,  however*  It  can  be  uted  effectively 
durlfio  operatlont  at  part  of  an  Invettigatlon  to  ettabllth  caute 
and  effect  relatlonthlps  and  probabllltlet. 

There  are  teveral  typet  of  SSHA't: 

e  Fault  Hazard  Analvtlt  (FHA) 

0  Sneak  Circuit  AnaVtIt 

e  Fault  Tree  Analytit  (FTA) 

However*  only  the  FHA  and  FTA  are  ditcutted  herein. 

An  SSHA/FHA  It  conducted  on  Identified  failure  modet,  and  will  be 
qualitative  to  a  quantitative  analytit  at  the  detign  develops. 
When  the  analytit  Indicatet  a  potential  problem.  It  thould  be 
made  known  to  the  retpontible  Engineer  In  order  to  Initiate 
proper  action.  An  FHA  thould  be  reviewed  on  a  continuout  basis 
to  ensure  that  design  modifications  do  not  add  hazards  to  the 
system.  The  FHA  thould  be  developed  In  conjunction  with  the 
FMECA 

It  provides  Information  to  evaluate  Identified  hazards*  Identify 
safety  critical  areas  and  provide  Inputs  to  safety  design 
criteria  and  procedures  with  provislonr  L.id  alternatives  to 
eliminate  or  control  all  category  I  and  il  hazards*  to  minimize 
or  control  category  III  and  IV  hazards,  and  to  Identify  critical 
Items. 
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FAULT  HAZARD  ANALYSIS  (FHA) 


Inttructions  for  Completing 

In  Contrict  Ho.  .  #nttr  th«  contract  number  for  which  FHA  is 

being  performed. 

In  Contractor  .  enter  the  name  of  the  Contractor 

responsible  for  the  fha. 

In  FHA  No.  ,  enter  the  FHA  number  which  shall  be  coded  and 

sequentially  numbered  by  each  Contractor  for  each  system.  This  coding 
sequence  will  be  utilized  for  all  related  predictions  and  analysis. 

In  Revision  No.  .  enter  the  revision  number  to  Indicate  the 

latest  status. 

In  Subsystem  _ _ ,  enter  the  nomenclature  of  the  subsystem  as 

broken  out  from  the  system  and  which  Includes  the  Item  undergoing  FHA. 

In  System  .  enter  the  nomenclature  of  the  applicable 

system. 

In  Drawing  No.  .  enter  the  drawing  number  of  the  drawing  on 

which  the  LRU  Is  Indicated. 

In  Prepared  by  .  Date  .  the  preparer  will  sign 

and  enter  the  date  of  Issue  or  completion  on  each  sheet  of  the  analysis. 

In  Reviewed  by  .  Date  .  the  reviewer  will  sign 

and  enter  the  date  of  review  on  each  sheet  of  the  analysis. 

In  Approved  by  ,  Date  .  the  Contractor's  Project 

Manager  will  sign  to  approve  and  enter  the  date  of  approval  In  each  sheet 
of  analysis. 

In  (1)  LRU  No  &  Description,  enter  the  reference  number  nomenclature  and 
brief  functional  description  of  the  component/assembly. 

In  (2)  Failure  Mode,  enter  a  brief  description  of  the  failure  or 
condition  thwt  Is  being  analyzed. 

In  (3)  Failure  Rate,;  enter  the  probability  of  occurrence  of  failure  mode 
or  condition.  Give  data  source,  such  as  experience,  6I0EP,  MIL  HBK  2.17. 

In  (4)  System  Mode,  enter  the  state  of  the  system  when  the  failure  mode 
or  condition  occurs. 

In  (5)  Cause,  enter  the  most  likely  primary  and  secondary  causes  of  the 
failure  mode  or  condition. 
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OPERATING  >  SUPPORT  HJkZARD  ANALYSIS  r(0  I  S)  HAT  I 


Iw»tnict1oB$  for  Comoletlno  Form  004: 

In  Contract  No.  _ ,  •ntor  tht  contract  numbar  for  which  (0  I  S)  HA 

Is  being  performed. 

In  Contractor  .  enter  the  name  of  the  Contractor  responsible 

for  the  (0  A 

In  (0  t  S)  HA  No.  .  enter  the  (0  A  S)  HA  nv.-t)er  which  shall  be 

coded  and  sequentially  numbered  by  each  Contractor  for  each  system.  This 
coding  sequence  will  be  utilized  for  all  related  analyses. 

In  Revision  No.  .  enter  the  revision  number  tp  Indicate  the  latest 

status. 

In  Subsystem  Function  enter  the  nomenclature ‘and  function  of 

the  subsystem  as  broken  out  '^rom  the  system. 

In  System  enter  the  nomenclature  of  the  applicable  system. 

In  Facility  _ _ ,  enter  the  description  of  the  facility  which 

Includes  the  system! 

In  Drawing  No.  .  enter  the  drawing  number  of  the  drawing  on  which 

the  subfunction  is  indicated. 

In  Prepared  by  .  Date  .  the  preparer  will  sign  and 

enter  the  date  of  review  on  each  sheet  of  the  analysis. 

In  Reviewed  by  _ ,  Date  .  the  reviewer  will  sign  and 

enter  the  date  of  review  on  each  sheet  of  the  analysis. 

In  Approved  by  _ ,  Date  .  the  Contractor's  Project 

Hanager  will  sign  \o  approve  and  enter  the  date  of  approval  on  each  sheet 
of  analysis. 


In  (1)  Task  or  Operation,  enter  a  brief  description  of  the  task  or 
operation  for  which  the  hazard  condition  Is  being  analyzed. 

In  (2)  Potential  Cause,  enter  the  most  likely  primary  and  secondary 
causes  of  the  hazard  condition. 

In  (3)  Effect(s)  on  Personnel  System,  enter  a  brief  description  of  the 
hazard  condition  effect(s)  related  to  personnel  and/or  system(s). 
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OPERATING  *  SUPr>>ORT  HAZARD  ANALYSIS  r(0  k  S)  HAl _ (confd) 

Instructions  for  Cotwpletinq 


In  (5)  Hazard  Catagoryt  antar  the  hiohtst  appllcabit  hazard  class  in 
accordanct  with  NIL  STD  882B. 

In  (6)  Radesign/Control  Actions,  tnter  a  brief  description  of  the 
redesign/control /corrective  action(s)  necessary  for  the  hazard  condition 
being  analyzed.  Enter  name(s)  of  related  analysis  and  reference 
nuinber(s). 


SUPPORT  ACTIVITIES 


Sengral 

\Th»«us».out  a  syatam's  life  cycle  there  «u$t  be  a  continuing  flow 
Of  Information  between  disciplines.  This  Is  especially  true  for 
the  safv'ity  end  assurance  disciplines.  "Next  to  design 
Inadequacies  and  deficiencies,  the  principal  causes  of  equipment 
and  system  failure  end  accidents  are  errors  atade  during 
manufacturing  and  maintenance". 

Much  of  the  analytic  work  Is  complementary,  and  data  developed 
for  reliability  purposes  can  be  used  In  safety  analyses.  There 
Is  a  continuous  Interplay  that  must  be  recognized  during  the 
analytic  and  Investigatory  processes. 


Some  of  these  analyses  ere: 

1)  Failure  Modes  and  Effects  Analysis  (FMEA) 

* 

2}  Failure  Modes,  Effects  and  Criticality  Analysis  (FMECA) 

3)  Maintenance  Engineering  Analysis  (MEA) 

4)  Predicted  Mean  Time  to  Repair 

The  FMECA  and  the  PMTTR  are  discussed  herein. 

In  addition  It  Is  essential  that  the  system  safety  engineer  be 
able  to  track  category  I  &  11  hazards  and  the  verification  of  the 
eventual  "fix",  whether  It  be  a 

a  Deslgn/hardware  change, 

a  Procedural  change,  or 

a  Training  requirement. 

The  critical  Items  List  (CIL)  enables  the  engineer  to  do  this. 


Cntiol  Items  list  (CIL) 

Tht  purpost  of  the  CIL  Is  to  compile  til  the  Identified 
stfety-crltlcal  Items  to  provide  visibility  for  Innediate 
corrective  action  to  prevent  personal  Injury  or  system  damage 
when  a  category  I  or  II  hazard  Is  Identified.  The  CIL  also 
provides  a  control  technique  for  reliability  when  a  category  1 
and  2  criticality  Item  Is  Identified.  The  CIL  should  be  reviewed 
on  a  continuous  basis  until  all  Items  are  resolved. 

The  CIL  helps  ensure  that  corrective  action  or  preventive 
measures  are  taken  to  optimize  system  safety,  reliability  and 
maintainability  by  minimizing  the  magnitude  and  seriousness  of 
those  Items  which  could  result  In  personal  Injury,  system  damage 
and  loss  of  operation,  but  which  cannot  be  completely  eliminated. 
The  CIL  provides  Inputs  for  recommendations  for:  changes  or 
Improvements  In  design;  procedures  to  Improve  efficiency  and 
safety;  development  of  warning  and  caution  notes  to  be  Included 
In  manuals  and  procedures;  requirements  for  special  training, 
and;  management  Information  for  the  operation  and  maintenance  of 
the  system.  Those  corrected  CIL  Items  should  be  Incorporated 
Into  test  program  to  verify  effectiveness  of  corrective 
measure(s). 

Complete  documentation  shows  compliance  with  the  specified  system 
safety  and  operational  requirements. 
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CRITICAL  ITEMS  LIST  - 


Instructions  for  Cowioletlno _ 

In  Contract  No.  .  ontor  the  contract  number  for  which  CIL  Is  being 

prepared. 

In  Contractor  '  enter  the  name  of  the  Contractor  responsible 

for  the  CIL. 

In  CIL  No.  .  enter  the  CIL  number  which  shall  be  coded  and 

sequentially  numbered  by  each  Contractor.  This  coding  sequence  will  be 
utilized  for  all  related  predictions  and  analysis. 

In  Revision  No.  .  enter  the  revision  number  to  Indicate  the  latest 

status . 

in  Prepared  by  _  Date  .  the  preparer  will  sign  and 

enter  the  date  of  issue  of  completion  on  each  sheet. 

In  Reviewed  by  Date  .  .  the  rtvWntr  will  sign  and 

enter  the  date  of  review  on  each  sheet. 

In  Approved  by  _  Date  .  the  Contractor's  Project 

Manager  will  sign  to  approve  and  enter  the  date  of  approval  on  each  sheet. 

In  (1)  LRU  Description,  enter  nomenclature  and  brief  functional 
description  of  the  lowest  replaceable  unit. 

In  (2)  Failure  reference  Analysis,  enter  the  applicable  analysis  name 
and  number  performed. 

In  (3)  Failure  Criteria  Category,  enter  the  highest  applicable  critical¬ 
ity  category  In  accordance  with  the  description  In  the  Glossary  of  Terms. 

•  , 

In  (4)  Hazard  Reference  Analysis,  enter  the  applicable  hazard  analysis 
name  and  number  performed. 


In  (5)  Hazard  Category,  enter  the  highest  applicable  hazard  class  In 
accordance  with  MIL-STD-882B  and  the  description  of  the  corrective 
actlon(s)  or  procedures  which  can  be  adopted  to  eliminate  or  minimize  the 
effects  or  failure  condition  being  analyzed. 

In  (6)  Requirement,  enter  the  specified  safety  and/or  reliability 
guidelines. 

In  (7)  Corrective  Action,  enter  a  brief  description  of  the  corrective 
actions  necessary  for  the  hazard  condition  analyzed. 


CRITICAL  ITEMS  LIST  -  _ (confd) 


Instruct ions  for  Comolttlng 

In  (8)  Resolution,  enttr  •  brief  description  of  final  action  taken  to 
eliminate  or  control  the  hazerd(s). 

In  (9)  Retention  Rationale,  state  the  reasons  for  retaining  the  category 
I  and  II  hazards  as  critical  Items  18  2.' 
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Fillurt  Hodts.  Eff«ct»  and  Critlolltv  Analvslt 


Hit  purpost  of  tht  FMECA  It  to  Idtntify  and  analyxt  possibit 
fallurt  at  tarlv  at  pottibit  during  the  detign  phatas  so  that 
appropriate  actions  art  takan  to  eliminate  minimize  or  control 
the  Identified  LRUs  classified  In  criticality  categories  1,  2  & 
3* 


The  FMECA  it  nomally  conducted  down  to  the  lowest  replaceable 
unit  (LRU)  of  each  of  Its  systems  and  subsystems  to  determine  the 
cause  and  effect  of  a  single  primary  mode  of  failure.  When  the 
FMECA  Indicates  a  hazard  the  engineer  should  conduct  a  Fault 
Hazard  Analysis  (FHA).  Mien  the  FMECA  Indicates  a  potential 
problem.  It  should  be  made  known  to  the  responsible  engineer  In 
order  to  Initiate  a  design  review.  The  FMECA  should  be  reviewed 
on  a  continuous  basis  to  ensure  that  design  modifications  do  not 
add  critical  failure  modes  to  the  System. 

FMECA  helps  ensure  that  all  failure  related  Information  Is 
traceable  to  an  Identified  piece  of  hardware.  The  effects  of 
failure  are  determined  In  a  single  analysis.'  which  avoids 
duplication  of  effort  for  other  system  assurance  activities.  It 
provides  Inputs  to  the  following: 

1}  Design  Reviews 

2)  Maintainability  Baseline 

3)  Reliability  Baseline 

4}  System  Safety  Baseline 

5)  System  Operation 

6)  Demonstration  Test  Plan  and  Procedures 

7)  Identify  Hardware  Requiring  Close  Control 

8)  Critical  Hardware  and  Quantities  to  be  Tested 

A  wel 1 'documented  analysis  shows  compliance  with  specified 
safety,  reliability  and  maintainability  requirements. 
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H«trd  Sevtrlty.  Hazard  severity  categories  are/ 
qualltaxive  aeasure  of  the  worst  credible  mishap  resulti  . 
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error;  environmental  conditions;  design  Inadequacies;  procedural  deficiencies; 
or  system,  subsystem  or  component  failure  or  malfunction  as  follows: 


uescrl ption 

Category 

Mishap  5ef1n1t1on 

CATASTROPHIC 

I 

Death  or  system  loss. 

CRITICAL 

II 

• 

Severe  Injury,  severe  occupational 
Illness,  or  major  system  damage. 

MARGINAL 

III 

Minor  Injury,  minor  occupational 
Illness,  or  minor  system  damage. 

NEGLIGIBLE 

IV 

Less  than  minor  Injury,  occupational 
Illness,  or  system  damage. 

These  hazard  severity  categories  provide  guidance  to  a  wide  variety  of 
programs.  However,  adaptation  to  a  particular  program  Is  generally  required 
to  provide  a  mutual  understanding  between  the  MA  and  the  contractors  as  to  the 
meaning  of  the  terms  used  In  the  category  definitions.  The  adaptation  must 
define  what  constitutes  system  loss,  major  or  minor  system  damage,  and  severe 
and  minor  Injury  and  occupational  Illness. 

Hazard  Probability.  The  probability  that  a  hazard  will  be  created 
during  the  planned  life  expectancy  of  the  system  can  be  described  In  potential 
occurrences  per  unit  of  time,  events,  population,  1‘tems,  or  activity. 

Assigning  a  quantitative  hazard  probability  to  a  potential  design  or 
procedural  hazard  Is  generally  not  possible  early  In  the  design  process.  A 
qualitative  hazard  probability  may  be  derived  from  research,  analysis,  and 
evaluation  of  historical  safety  data  from  similar  systems.  Supporting  I 

rationale  for  assigning  a  hazard  probability  shall  be  documented  in  hazard  | 

analysis  reports.  An  example  of  a  qualitative  hazard  probability  ranking  Is:  i 


Description*  Level  Specific  Individual  Item  Tleet  or  Inventory** 


FREQUENT 

A 

Likely  to  occur  frequently 

Continuously  experienced 

PROBABLE 

B 

Will  occur  several  times  in 
life  of  an  item 

Will  occur  frequently 

OCCASIONAL 

C 

Likely  to  occur  sometime 
in  life  of  an  item 

Will  occur  several  times 

REMOTE 

D 

Unlikely  but  possible  to 
occur  in  life  of  an  item 

Unlikely  but  can  reasonably 
be  expected  to  occur 

IKF ROB ABLE 

E 

So  unlikely,  it  can  be 
assumed  occurence  may  not 
be  experienced 

Unlikely  to  occur,  but 
possible 

*Definitions 

of 

descriptive  woras  may  have  to  be 

modified  based  on  quantity 

involved . 

**The  size  of  the  fleet  or  inventory  should  be  defined. 
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SUBJECT:  Safety  Assessment  Report  for  XMS2  Smoke  Generator 


I 


1.0  INTRODUCTION. 

1.1  Purpose.  The  purpose  of  this  Safety  Assessment  Report  Is  to  provide  the 
test  agency  with  the  minimum  protective  measures,  safety  features  of  the  system 
and  the  specific  safety  procedural  controls  and  precautions  to  be  followed 
during  development  testing  I AW  the  requirements  of  AR  385-16  and  AMC  Reg  385-12. 

1.2  Summary.  The  XH52  Smoke  Generator  has  been  designed  to  Include  provisions 
for  safeguarding  personnel.  Safety  precautions  have  been  located  on  the  equip¬ 
ment  where  necessary  and  are  Included  within  the  operating  maintenance  manual 
applicable  to  the  system. 

1.3  Content.  The  safety  features  Included  In  the  XH52  design  are  Identified. 
These  features  in.lnde  potential  hazard  controls  In  the  form  of  hardware;  system 
parameter  monitors  which  provide  Input  to  the  turbine  engine's  Electronic 
Sequencing  Unit  which  contains  the  logic  to  shut  down  the  XM52  In  the  event  of 
out-of-tolerance  conditions  which  may  result  In  a  hazardous  condition  If  left  - 
unchecked;  provision  of  DANGER  and  CAUTION  labels  on  the  unit  to  apprise 
operating  personnel  of  potential  hazards;  establishment  of  proper  operating  pro¬ 
cedures  to  minimize  hazard  potentials  resulting  from  operator  error;  and,  speci¬ 
fication  of  support  equipment  and/or  procedures  to  suppress  or  control  a  hazard 
should  it  develop. 

2.0  SYSTEM  DESCRIPTION. 

2.1  Purpose  and  Intended  Use. 


2.1.1  Purpose.  The  XM52  Smoke  Generator  Is  to  provide  a  large  area  smoke  I 

screen  which  will  provide  protection  from  both  visual  and  IR  detection  devices.  J 

c 

2.1.2  Intended  Use.  The  XM52  Smoke  Generator  has  been  configured  for  ^ 

deployment  on  the  bed  of  the  HMpIWV,  a  trailer  towed  by  the  HMMVW  or  two  units  n 

mounted  on  the  roof  of  a  M113  APC  (XM1059E1  Smoke  Carrier)  with  the  IR  material  ) 

and  fog  oil  supplies  mounted  Inside  the  M113.  | 

2.2  Historical  Summary  of  System  Development.  5 

2.2.1  A  predecessor  to  the  XM52  program  was  the  XM49  Smoke  Generator..  The  XM49  C 

was  to  replace  the  current  M3A3  Smoke  Generator.  While  In  Advanced  Development,  f 

the  XM49  project  was  terminated  primarily  because  It  had  no  potential  for  pro-  ■ 

viding  IR  screening  and  had  operational  problems  which  showed  up  during  develop-  ! 

ment  testing.  | 

■i 
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2.2.2  The  current  XM52  Smoke  Generator  program  has  been  to  develop  a  smoke 
generator  Mhich  provides  Improvements  ovfer  the  M3A3,  Including  the  capability  of 
dispensing  IR  defeating  smoke  material  and  the  capability  of  being  mounted  on 
and  operated  from  fast  moving  wheeled  and  tracked  vehicles. 

2.2.3  The  XM52  was  to  be  developed  around  a  lightweight  turWne  engine  and  meet 
the  following  performance  requirements; 

-  after  starting,  the  XM52  shall  not  require  tending  except  to  replenish  . 
both  smoke  material  and  fuel. 

-  operate  continuously  for  one  hour  without  replenishment. 

-  produce  good  quality  (dry)  smoke  from  fog  oil  at  the  rate  of  60  gallons 
per  hour. 

-  provide  IR  screening  protection  by  dispensing  IR  material  EA5763  in  a 
cloud  at  the  rate  of  600  lbs  per  hour. 

-  be  operated  from  the  intended  mounting  vehicles  while  on  the  move. 

-  there  shall  be  consideration  given  to  fire/flame  suppression  for.  tracked 
and  wheeled  vehicle  application. 

-  fuel/smoke  material  spillage  and  unvaporized  visual  smoke  material  are 
unacceptable. 

•  torching  at  any  time  is  unacceptable. 

2.3  System  Description. 

2.3.1  Graphics.  Figures  1  and  2  present  the  various  deployment  configurations 
and  Figures  3  thru  5  are  detailed  illustrations  of  the  HMMWV/trailer  mountable 
XM52  system. 

2.3.2  Subsystems.  The  following  list  presents  the  major  subsystems  and  com¬ 
ponents  of  the  XM52  Smoke  Generator.  While  there  are  some  differences  between 
the  XM52  for  the  WMWV/trailer  application  and  the  M113  application,  these  dif 
ferences  do  not  affect  subsystem  functions,  only  the  provisions  for  mounting, 
length  of  cables  and  fluid  lines  and  configuration  and  placwent  of  fluid  tank* 
The  list  pertains  to  any  XM52  system  regardless  of  its  application. 

a.  Frame  structure 

« 

b.  Turbine  (Turbomach  Titan  Model  T-62T-2D) 
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3/4  TON  TRAILER  WITH  1  XM52  SMOKE 


Ml  13.  APC  WITH  XM52 
SMOKE  GEfyiERATOR  SYSTEM 
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XM52  SraXZ  GENERATOR  CONTROL  PANEL 
Figure  ~  -5 


c.  Starter/Generator 

d.  Air  Filter  System 

e.  Storage  batteries  (not  on  M113) 
fr  IR  dispenser  w/electric  motor 

g.  Diesel  fuel  tank  with  electric  fuel  pump 

h.  Fog  oil  tank  with  electric  fog  oil  pump 

i.  Operator's  control  panel 
J.  Electrical  and  fuel  lines 

3.0  SYSTEM  OPERATIONS. 

The  XM52  Smoke  Generator  System  can  be  operated  locally  In  the  static  mode 
or  remotely  (i.e.  control  box  Inside  a  vehicle  and  connected  to  the  unit  by 
cable)  while  the  vehicle  is  on  the  move. 

Once  the  system  is  supplied  with  diesel  fuel,  fog  oil  and  IR  material,  all 
operation  is  conducted  from  the  control  box  which  is  located  at  the  opposite  end 
of  the  unit  ;way  from  the  hot  exhaust  tube.  (See  Figures  1  thru  5  to  review 
various  vehicle  applications,  component  locations  and  control  panel  layout.) 

3.1  Operating  Procedures. 

3.1.1  Turbine  Starting  and  Smoke  Generation. 

3.1.2  To  start  the  turbine  engine  and  generate  smoke,  the  operator  must  perform 
the  following  sequence  of  actions: 

a.  Verify  the  GEN  switch  is  in  the  OFF  position. 

b.  Set  BAH  PWR  switch  to  ON  position. 

c.  Move  TURBINE  switch  to  START  position  and  release.  This  action  causes 
the  START  circuit  to  be  energized,  i.e.  spinning  up  the  rotor,  initiating  fuel 
flow  and  initiating  the  ignition  spark  when  the  rotor  has  achieved  the  required 
RPM. 


d.  When  the  turbine  reaches  lUO  percent  RPM,  the  READY  TO  LOAD  indicator 
illuminates.  Move  the  GC'N  switch  to  the  RESET  position  and  release  the  switch. 

NOTE:  The  RESET  position  has  been  Incorporated  to  prevent  possible  damage 
to  the  turbine  from  premature  loading.  Therefore,  even  the  GEN  RESET  position 
is  not  enabled  until  the  READY  TO  LOAD  criterion  has  been  met  and  the  indicator 
illuminates. 
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t.  Set  GEN  switch  to  RUN  position.  Observe:  GEN  ON  Indicator  illuminates. 

f.  For  fog  oil  smoke,  set  VISUAL  SMOKE  switch  to  ON  position. 

g.  For  IR  screening,  set  IR  SMOKE  switch  to  ON  position. 

3.1,3  Since  visual  smoke  quality  Is  dependent  on  atmospheric  conditions,  the 
operaitor  can  Improve  smoke  quality  by  adjusting  the  exhaust  temperature  with  EGT 
INCR/DECR  control. 

3.2  Special  Operating  Procedures.  A  number  of  system  parameters  are  monitored 
electronically  and  result  in  a  system  shutdown,  warning  or  a  no  start  condition, 
Thqr  are: 

Processor  Failure  -  Shutdown* 

Overspeed  -  Shutdown 

Underspeed  -  Shutdown 

Overtemperature  Probe  1  -  Shutdown 

ffpen  Probe  2  -  Warning 

No  temp  data  Card  1  -  Warning 

Both  probes  open  •  No  start 

Low  Oil  pressure  -  Shutdown 

Power  Latch  transistor  failed  -  Shutdown 

Temperature  Circuit  Calibration  required  -  Warning 

No  temp  data  card  2  >  Warning 

Shorted  Probe  1  -  Shutdown 

Over  Temp  Probe  2  -  Shutdown 

Open  Probe  1  -  Warning 

Falure  to  accelerate  (approx  90  sec)  -  Shutdown 
Data  circuit  test  failure  -  Shutdown* 

RAM  test  failure  -  Shutdown 

Failure  to  accelerate  (approx  15  sec)  -  Shutdown 
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Bleed  valve  not  closed  -  No  start 

Shorted  Probe  2  -  Shutdown 

Over temperature  (av)  -  Shutdown 

Shorted  or  failed  oil  press  SW  •  Shutdown 

Flame  out  Deccel  N  98X  -  Shutdown 

High  oil  temp  •  Shutdown 

No  speed  data  -  Shutdown 

Seq.  Fall  •  Shutdown 

Both  Probes  shorted  -  Shutdown 

*Interna1  failure,  no  external  test  possible. 

These  malfunctions  are  Indicated  to  the  operator  through  the  BITE  Indica¬ 
tors.  In  the  event  the  operator  should  notice  a  system  problem  which  does  not 
result  In  a  system  shutdown,  the  EMERGENCY  STOP  switch  can  be  activated  which 
removes  all  electrical  power  and  shuts  down  the  system.  Following  an  EMERGENCY 
STOP  and  alleviation  of  the  problem,  all  switches  must  be  returned  to  their 
NEUTRAL  or  OFF  position  before  the  unit  can  be  restarted. 

3.3  Operating  Environment.  The  XM52  Smoke  Generator  has  been  designed  for 
operation  In  ambient  temperature  ranging  from  -25®F  to  120®F.  No  procedural 
differences  have  been  Identified  for  safe  operation  throughout  this  temperature 
range. 

3.4  Support  Equipment. 


3.4.1  When  the  XM52  Smoke  Generator  Is  operating  the  turbine  emits  high  Inten¬ 
sity  noise,  even  though  sound  absorbing  panels  surround  the  turbine. 

Preliminary  noise  measurement  readings  taken  at  various  locations  within  two 
feet  of  the  unit  produced  the  following: 

a.  At  the  control  panel  -  102  dBA. 

b.  At  the  diesel  fuel  and  fog  oil  fill  ports  -  120  dBA. 

c.  At  rear  of  unit  near  bleed  air  overboard  duct  -  132  dBA. 

It  Is  obvious  from  these  Initial  readings  that  personnel  must  be  required  to 
wear  hearing  protection.  Oue  to  the  very  high  noise  levels  at  some  locations 
(132  dBA),  dQ^hlg  httafing  prpt»rtlon  should  bg  us»d  when  working  around  the 
generator.  A  CAUTION  placard  concerning  the  requirement  for  hearing  protection 
has  been  affixed  to  the  unit. 
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**,4.2  Mh*n  replenishing  the  IR  material,  personnel  will  be  required  to  wear  a 
particulate  filter  mask  and  eye  protection.  The  IR  material  EA5763  Is  a  skin 
Irritant  and  should  be  washed  from  the  skin  with  soap  and  water  should  personnel 
become  exposed. 

3.4.3  While  the  unit  has  been  designed  to  shutdown  should  the  turbine 
experience  overtenperature  or  overspeed  conditions,  a  fire  extinguisher  has  been 
mounted  on  the  unit  to  be  used  In  the  extremely  unlikely  event  of  a  fire.  When 
th(  unit  Is  shutdown,  either  manually  or  automatically,  the  volatile  diesel  fuel 
and  fog  oil  cannot  fuel  a  fire  since  the  electric  pumps  which  supply  these 
substances  are  deenergized. 

3.5  Safety  Design  Features.  For  the  safety  features  contained  In  the  system, 
refer  to  aAi  Report  No.  ER-12871A,  "Operating  and  Support  Hazard  Analysis 
Report*  (enclosure  1)  and  AAI  Report  No.  ER-12555A,  "System  Hazard  Analysis 
Report  (enclosure  2). 

3.6  Special  Procedures  Needed  To  Assure  Safe  Operations. 

a.  Assure  that  ear  protection  Is  worn  by  all  personnel  conducting  and  wit¬ 
nessing  tests. 

b.  Assure  that  ear  plugs  and  ear  muffs  are  worn  by  personnel  within  23  feet 
of  the  system  while  in  operation. 

c.  Assure  that  noise  hazard  signs  are  located  In  accordance  with  para  4.3 
of  WL-STD-1474B(MI). 

d.  Monitor  exposure  times  for  all  personnel  for  dBA(s)  as  required  by  TB 
MED  501.  For  example  122  dBA  -  less  than  4  hrs,  126  dBA  -  less  than  2  hrs,  130 
dBA  -  less  than  1  hr,  etc. 

e.  Assure  that  fire  extinguishers  are  available  on-site  and  are 
operable/charged  prior  to  testing. 

f.  Assure  that  all  personnel  conducting/witnessing  tests  have  M9/M17  masks 
In  slung  position. 

g.  Personnel  should  wear  masks  when  handling  the  IR  material  or  when  expo¬ 
sure  to  the  IR  smoke  cloud  appears  likely. 

h.  Personnel  must  stay  clear  of  the  hot  exhaust  area  at  the  rear  of  the 
XM52  during  operation. 

4.0  SYSTEM  SAFETY  ENGINEERING. 

4.1  The  methodology  of  MIL-ST0-882A  and  AR  385-10  was  used  to  identify  and  rank 
potential  hazards  associated  with  the  XM52  Smoke  Generator. 
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4.2  During  tht  devc’iopment  of  the  XH52  Smoke  Generetor,  a  System  Hazard 
Analysis  and  an  Operating  &  Support  Hazard  Analysis  were  conducted.  These  ana¬ 
lyses  were  based  upon  review  of  design  draw1:igs,  existing  documentation  on  the 
unmodified  Titan  Model  T-62T-2A1  turbine  engine  (the  ending  model  employed  Is  a 
T-62T-20  which  Is  a  modification  of  the  aforementioned  engine)  and  observation 
of  the  Initial  test  runs  of  the  XM52.  Hazardous  conditions  and  their  respective 
hazard  severity  levels,  probability  levels  and  control  measures  are  Identified 
In  the  following: 

a.  AAI  Report  No.  ER-12871A,  Operating  and  Support  Hazard  Ar.dlysis  Report 
(enclosure  1). 

b.  AAI  Report  No.  ER-12555A,  System  Hazard  Analysis  Report  (enclosure  2). 

5.0  HEALTH  HAZARD  ASSESSNINT.  No  Health  Hazard  Assessment  (HHA)  Report  has 
been  performed  to  date.  Upon  completion  of  the  HHA  Report,  this  paragraph  will 
be  updated/amended  to  include  the  report. 

6.0  CONCLUSIONS  AND  RECOMMENDATIONS. 

6.1  All  known  safety  hazards  have  been  evaluated  throughout  the  design  of  the 
XM52.  The  system  Is  considered  to  be  safe  to  operate  and  test  as  long  as  the 
procedures  stated  In  paragraph  3.6  are  followed.  For  Information  on  environmen¬ 
tal  conditions,  demilitarization,  disposal,  etc.,  refer  to  ARCSL-EA-83005 
“Programmatic  Life  Cycle  Environmental  Assessment  of  Smoke  Obscurants,  Vol.  3  of 
5,  dated  Oul  83,  and  "Life  Cycle  Environmental  Assessment,  XM52  Gas  Turbine 
Smoke  Generator,  dated  Jan  83. 

6.2  The  Intended  obscuration  function  of  a  smoke  generating  device  necessitates 
localized  air  pollution,  therefore  the  appropriate  environmental  permits  must  be 
obtained  prior  to  testing.  The  XM52  utilizes  materials  currently  in  the  Army 
Inv'  cory,  I.e.  diesel  fuel  and  fog  oil.  The  established  handling  procedures 
f:;  .hese  substances  apply  to  the  XM52  Smoke  Generator. 

The  handling  procedures  for  handling  the  IR  screening  material  EA5763 
established  during  the  XM49  Smoke  Generator  program  also  apply  to  the  current 
XM52  Smoke  Generator  program. 

7.0  REFERENCES. 

7.1  MIL-STO-1478  (MI). 

ME  1. 

7.3  ARCSL-EA-83005,  Vol  3,  dated  Jul  83. 

7.4  ARCSL-TR-82065,  dated  Jun  83,  "Life  Cycle  Environmental  Assessment  XM52 
Gas  Turbine  '  r'^e  Generator",  dated  Jan  83. 
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1.0  XNtRODUCTION 

This  SyttM  Hazard  Analyait  (SHA)  Report*  la  aubmltted  In  accor¬ 
dance  with  the.  raqulrenenta  .of  Lina  Itca  AOOT  of  the  DD1423*  Contract  Data 
Rcqulrcmente  Llat*  for  Contract  Ko.  DAAK  11-82-C-0126*  Advanced  Developnent 
of  the  Large  Area  Snoke  Cenerator*  XMS2.  This  report  acets  the  requirements 
of  Data  Item  Description  (DID)  DI-H-70A8*  System  Safety  Hazard  Analysis 
Report. 

2.0  GENERAL 

Tha  acopa  of  this  SHA  la  the  systematic  assessment  of  real  and 
potential  hazards  associated  with  the  subsystems  of  the  XMS2  Smoke  Generator. 
This  SHA  was  conducted  on  the  available  system  concept  data  In  an  attempt  to 
Identify  hazards  and  then  direct  design  efforts  toward  the  elimination  or 
control  of  the  Identified  hazards. 

When  the  XMS2  Is  viewed  as  a  system*  with  the  turbine  engine  being 
a  subsystem  thereof*  the  number  of  subsystems  are  relatively  few  as  Indicated 
In  the  accompanying  figures  and  system  description. 

3.0  SYSTEM  DESCRIPTION 

The  XMS2  Smoke  Generator  Is  used  to  provide  a  large  area  smoke  screen 
which  will  provide  protection  from  both  visual  and  IR  detection  devices. 

The  XM52  Stuoke  Generator  Is  being  designed  to  provide  large  area 
obscuration  capability  to  minimize  detection  by  the  ene^  through  either 
visual  or  Infrared  means.  To  accomplish  this  goal*  the  XM52  uses  a 
slightly  modified  Turbomach  turbine  engine  (Titan  Model  T-62T-2A1  which  Is  to 
be  designated  as  Model  T-62T-2D)  as  a  heat  and  power  source.  By  introducing 
fog  oil  Into  the  hot  turbine  exhaust*  the  unit  will  be  able  to  produce  good 
quality  smoke  for  protection  from  visual  detection.  Also*  by  using  turbine 
bleed  air  and  an  electrically  drive  IR  dispenser  system*  the  RM52  will  be 
able  to  introduce  alr-entralned  IR  material  Into  the  exhaust  stream  to 
provide  protection  from  detection  by  IR  devices. 

3.1  Major  Subsystems  and  Components 

The  following  list  presents  the  major  subsystems  and  components 
of  the  XHS2  Smoke  Generator.  While  there  are  some  differences  between  the 
XMS2  for  the  KMMWV/Traller  application  and  the  M113  application*  these 
differences  do  not  affect  subsystem  functions*  only  the  provisions  for 
mounting*  length  of  cables  and  fluid  lines  and  configuration  and  placement 
of  fluid  tanks.  The  list  pertains  to  any  XMS2  system  regardless  of  Its 
application. 
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1. 

2. 


3. 

4. 

5. 

6. 

7. 

8. 
9. 

10. 

11. 


Frame  structur* 

Turbine  I  (Tu'rbomach  Titan  Model  T-62T-2A1 
slightly  modified  which  Is  to  bs  designated  as 
Model  T-62T-2D) 

Starter /Generator 
Air  Filter  System 
Storage  batteries  (not  on  Ml 13) 

IR  dispenser  w/electrlc  motor 

Diesel  fuel  tank  with  electric  fuel  pump 

Fog  oil  tank  with  electric  fog  oil  pump 

Operator’s  control  panel 

Fluid  lines 

IR  lines 


Figures  !•  2  and  3  depict  conceptually  the  Interfaces  '.--tveen  the 
major  assemblies  of  the  XM32  In  toth  the  HMMWV /Trailer  and  MI13  tcpllcatlons. 

4.0  ANALYSIS  SUMMARY 


The  analysis  results  presented  on  the  following  pages  tddress  the 
hazard  potential  to  the  system  should  there  be  a  failure  in  any  cf  the  sub^ 
systems.  Since  the  Turbomach  engine  (Titan  Model  T-62T-2A1)  is  tirrently 
In  the  Army  ventory*  only  the  interfaces  between  the  turbine  aid  the  other 
subsystems  oi  the  XM52  have  been  examined.  The  safety  features  r:  the  turbine 
and  Its  subsystem  are  already  veil  documented  In  TH  55’*283S-203*L> »  ’’Organlz- 
atlonal.  DS  and  GS  Maintenance  Manual."  Even  so*  the  major  safer*  concerns 
with  any  turbine  are  adequate  protection  from  overheating  and  ovespeeding 
conditions  and  the  above  turbine  Incorporates  safety  switches  vh±:h  shut 
down  the  turbine  should  either  condition  occur.  Another  concern  ^Ith  turbines 
is  the  potential  for  the  turbine  wheel  to  disintegrate  from  overmeed  or 
material  defect.  This  concern  Is  alleviated  by  the  turbine  wheel  employed 
which  is  designed  to  shed  the  vanes  gradually  rather  than  burstliq  catastro¬ 
phically.  In  addition,  the  turbine  wheel  housing  Is  designed  to  :oncain  the 
vane  fragments  If  the  wheel  falls.  Also,  in  the  XMS2  appllcatioi  there  Is  the 
added  protection  of  the  removable  access  panels  which  enclose  tht  entire  turbir. 


The  remaining  concern  with  turbines  is  the  possibility  if  a  "hot 
start"  or  *Vec  start"  resulting  from  fuel  left  in  the  combustion  ihamber  from 
a  previous  start  attempt  in  which  ignition  did  not  occur.  The 'modified 
turbine  Incorporates  provisions  to  expel  the  fuel  from  a  false  s'.i.rt  out 
through  the  turbines  exhaust  pipe.  The  small  amount  of  fuel  (5-cc)  remaining 
from  a  false  start  presents  no  hazard  when  It  is  expelled  to  the  itmosphere 
and  ground. 

Regarding  electrical  hazards,  the  XMS2  uses  a  28  volt  v'-.-er  supply 

which  is  considered  intrinsically  safe,  although  injury  could  res  It  from 

an  involuntary  surprise  reaction  if  an  individual  comes  In  contac  with  the 

I  circuit. 

I 

I 


I 


1 


4.1  Assignment  of  Risk  Assessment  Codes 

Tha  accompanying  analysis  sheets  contain  hazard  severity  levels • 
hazard  probability  levels  and  Risk  Assessment  Codes  (RAC).  The  hazard 
probability  levels  and  RAC  are  from  AR  385-10  Interim  Change  No.  101.  The 
hazard  severity  levels  are  from  MIL-STD-882A  so  that  system  damage,  as  well 
as,  personnel  Injury  can  be  included  In  the  definition  and  reflected  in  the 
hazard  assessment. 

HAZARD  SEVERITY 

a.  Category  1  -  Catastrophic.  May  cause  death  or  system  loss. 

b.  Cateogry  II  -  Critical.  May  cause  severe  Injury,  severe 
occupational  Illness,  or  major  system  damage. 

c.  Category  111  -  Marginal.  May  cause  minor  injury,  minor 
occupational  illness,  or  minor  system  damage. 

d.  Category  IV  -  Negligible.  Will  not  result  In  Injury, 
occupational  Illness,  or  system  damage. 

HAZARD  PROBABILITY 

A  >  Likely  to  occur  immediately 

B  -  Probably  vlll  occur  in  time 

C  -  Possible  to  occur  in  time 

D  -  Unlikely  to  occur 

RISK  ASSESSMZNT  CODES 

1  -  Critical 

2  -  Serious 

3  -  Moderate 

4  -  Minor 

5  -  Negligible 
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FOREWORD 

Included  herein  ere  the  results  of  the  Opereting  end  Support 
Ratsrd  Anelysls  (O&SRA)  conducted  by  AAI*s  systea  safety  personnel  on  the 
entire  XM52  Smoke  Generator  systea.  In  the  body  of  the  AAI  report,  there 
are  several  references  to  the  turbine  engine  as  a  **Bodlfled  Turbooach 
Model  T-^2T-2A1  turbine  engine."  Since  this  engine  le  In  the  Army  Inventory, 
these  references  have  been  retained  so  that  reviewing  personnel  may  refer  to 
existing  documentation  to  gain  an  understanding  of  the  basic  turbine  cap¬ 
abilities.  However,  the  modifications  made  to  Model  T-62T-2A1  were  of 
sufficient  scope  that  a  new  model  nmber  (T-62T-2D)  has  been  assigned  to  the 
turbine  engine  to  be  used  in  the  XH52  Smoke  Generator  application. 

Included  as  the  Attachment  is  the  O&SRA  report  prepared  by 
Turbomach  personnel  on  the  turbine  engine.  Model  T-62T-2D.  In  the  interest 
of  clarity,  the  Turbomach  report  hes  been  appended  In  Its  entirety. 

This  updated  O&SHA  Report  incorporates  the  changes  and  corrections 
suggested  by  the  Chemical  Research  and  Development  Center  Safety  Office  ' 
letter  dated  August  23.  1983. 

Of  particular  concern  to  the  Safety  Office  was  the  possibility  of 
IR  material  being  blown  back  through  the  line  which  supplies  atmospheric 
air  to  the  venturi  assembly.  This  potential  hasard  was  recognised  some 
months  ego  and  an  antlblovback  valve  has  been  Incorporated  In  this  line. 

A  request  was  also  made  by  the  Safety  Office  to  analyse  the  hasard 
potential  of  either  the  fog  oil  tank  or  IR  dispenser  breaking  free  from 
their  mounts  in  the  M113  during  an  accident.  The  responsibility  for  the 
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XM52  Installation  In  the  M113  has  been  contracted  with  TMC  Corporation  for 
analysis  to  determine  component  locations  and  providing  mount  requirements. 
The  shock  and  .Ibratlon  testing  requirements  of  MTL-STD-810  should  be  the 
guidelines  to  drive  the  design  of  the  mounting  provisions  In  the  M113. 
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1.0 


INTRODUCTION 


This  Operating  and  Support  Hazard  Analysis  (O&SHA)  Report,  is 
subndtted  in  accordance  with  the  requirements  of  Line  Item  AOOU  of  the 
DD1A23.  Contract  Data  Requirements  List,  for  Contract  No.  DAAK  ll-82-C*0126 . 
Advanced  Development  of  the  Large  Area  Smoke  Generator.  XM52.  This  report 
meets  the  requirements  of  Data  Item  Description  (DID)  DI-H-^IO^S.  System 
Safety  Hazard  Analysis  Report. 

2.0  GENERAL 

The  scope  of  this  O&Sf  is  the  systematic  assessment  of  real  and 
potential  hazards  associated  with  the  operating  and  support  tasks  for  the 
XM52  Smoke  Generator.  This  O&SHA  was  conducted  on  the  available  system 
concept  data  and  engineering  drawings  in  an  atten^t  to  identify  hazards  and 
then  direct  design  efforts  toward  the  elimination  or  control  of  the  identi¬ 
fied  hazards. 

3.0  SYSTEM  DESCRIPTION 

The  XM52  Smoke  Generator  is  to  provide  a  large  area  smoke  screen 
which  will  provide  protection  from  both  visual  and  IR  detection  devices. 

The  XMS2  Smoke  Generator  la  being  designed  to  provide  large  area 
obscuration  capability  to  minimize  detection  by  the  enemy  through  either 
visual  or  infrared  means.  To  accomplish  this  goal,  the  RM52  uses  a 
slightly  modified  Turbomach  turbine  engine  (Titan  Model  T-62T-2A1)  as  a 
heat  and  power  source.  By  introducing  fog  oil  into  the  hot  turbine  ex¬ 
haust.  the  unit  will  be  able  to  produce  good  quality  smoke  for  protection 
from  visual  detection.  Also,  by  using  turbine  bleed  air  and  an  electrically 
drfven  IR  dispenser  system,  the  XM52  will  be  able  to  introduce  air-entrained 
IR  material  into  the  exhaust  stream  to  provide  protection  from  detection  by 
IR  devices. 

3.1  Major  Subsystem  and  Components 

The  following  list  presents  the  major  subsystems  and  components 
of  the  m52  Smoke  Generator.  While  there  are  some  differences  between  the 
XMS2  for  the  HMMWV/Trailer  application  and  the  M113  application,  these 
differences  do  not  affect  subsystem  functions,  only  the  provisions  for 
mounting,  length  of  cables  and  fluid  lines  and  configuration  end  placement 
of  fluid  tanks.  The  list  pertains  to  any  XMS2  system  regardless  of  its 
application. 


:  1.  Frame  structure  . 

2«.  Turbine,  (Turbomach ^Tltan  Model  T**62T-*2A1'’ slightly  modified) 

3.  ^Starter/Gener'ator^ 

4. '  Air  Filter  System 

'  5.  Storag^  batteries  (not  on  M113) 

6.  IR  dispenaer  w/electrle  motor _ 

* 7«  Diesel  fuel  tank  with  electric  fuel  pump^ 

8.  Fog  oil  tank  with  electric  fog  oll'pump 

,  9.  Operator's  control  panel. 

10.  '  Electrical  and  fuel  lines 
*  •- 

4.0  ANALYSIS  SL*MMARY 

The  analysis  results  presented  on  the  following  pages  address  the 
hazard  potential  inherent  in  operating  and  support  personnel  tasks.  Major 
concerns  from  the  inception  of  the  XM52  program  have  been  the  following: 

1.  Control  of  excessive  noise. 

2.  Provisions  of  safe  techniques  for  the  replenishment  of  diesel 
fuel,  fog  oil  and  IR  material. 

3.  Protection  from  Inadvertent  contact  with  hot  surfaces  and 
components. 

4.  Assurance  of  sound  footing  for  maintenance  tasks. 

5.  Avoidance  of  personnel  contact  with  IR  material. 

6.  Provision  of  guards  around  moving  components. 

7.  Control  (l.e.  minimization)  of  possible  fire  conditions. 

Fire  potential  is  impossible  to  eliminate  where  fuels  are  used 

8.  Elimination  of  sharp  edges,  protrusions  and  pinch  points. 

As  evidenced  in  the  "Corrective  Action/Mlnlmlzing  Provislooa"  column  of  the 
analysis  data  sheets,  the  design  incorporates  provisions  to  address  the 
concerns  enumerated  above. 

Potential  hazards  associated  with  the  maintenance  of  the  turbine  engine 
(l.e.,  use  of  cleaning  agents)  are  not  addressed  .In. the  accompanying  analysis 
sheets.  These  hazards  have  been  addressed  in  the  technical  manual  (TM 
3>1040-‘274-12&P)  for  the  maintenance  of  the  turbine  engine. 

$ 

4.1  The  accompanying  analysis  sheets  contain  hazard  severity  levels, 

hazard  probability  levels  and  Risk  Assessment  Codes  (RAC) .  The  hazard 
probability  levels  and  RAC  are  from  AR  385-10  Interim  Change  No.  101.  The  ' 
hazard  severity  levels  are  from  MIL-STD-882A  so  that  system  damage,  as  well 
as,  personnel  Injury  can  be  included  In  the  definition  and  reflected  in  the 
hazard  assessment. 
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HAZARD  SEVERITY 

•.  Category  I  -  Catastrophic.  May  cauaa  death  or  system  loss. 

b.  Category  II  -  Critical.  May  cause  severe  Injury .  severe 
occupational  illness,  or  major  system  damage. 

c.  Category  111  -  Marginal.  May  cause  minor  injury,  minor 
occupational  illness,  or  minor  system  damage. 

d.  Category  IV  -  Negligible.  Will  not  result  in  injury, 
occupational  illness  or  system  damage. 

HAZARD  PROBABILITY 


A  -  Likely  to  occur  immediately 
B  -  Probably  will  occur  in  time 
C  -  Possible  to  occur  tn  time 
D  -  Unlikely  to  occur 
RISK  ASSESSMEHT  CODES 

1  •  Critical 

2  -  Serious 

3  -  Moderate 
A  -  Minor 

5  -  Negligible 

5.0  PROPOSED  DEPLOYMENT  CONFIGURATION  OF  RM52  SMOKE  GENERATOR 

The  KMS2  Smoke  Generator  has  been  designed  for  deployment'  on  the 
bed  of  the  HMMWV,  a  tovable  trailer  or  on  cop  of  a  M113  Armored  Personnel 
Carrier  (APC).  The  artist '•  conceptions  of  these  three  configurations  are 
presented  In  the  following  figures.  These  figures  are  presented  to  aid 
the  reader  in  understanding  the  details  of  the  hazard  analysis  data  sheets, 
it  should  be  noted  that  the  HMMWV  and  trailer  configurations  are  identical 
with  the  entire  system  mounted  on  a  subframe  structure.  The  M113  configura¬ 
tion  has  only  the  generator  units  mounted  on  the  top  exterior,  while  the 
diesel  fuel,  fog  oil  and  IR  Ciaterial  supplies  are  located  inside  the  vehicle. 
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HIGH  MOBILTY  MULTIPURPOSE  WHEEL  VEHICLE,  (HMMWV)  AND 
3/4  TON  TRAILER  WITH  1  XM52  SMOKE  GENERATOR  SYSTEM  EACH 
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OPERATING  AND  SUPPORT  HAZARD  ANALYSIS  FOR 
THE  HODEL  T-62T-2D  ENGINE  FOR  THE  XM52  SPOKE  GEKE?J^TCR  PROGRAM 

SDRL  ITEM  AUOe 


INTRODUCTION  • 

TMi  report  contains  the  0  I  S  (Operating  and  Support)  Analysis  for  the  Model 
T-62T-2D  engine  to  be  used  in  the  WS2  Smoke  Gen'^rator  Program.  This  report  is 
intended  to  satisfy  the  requirements  of  AAI  SDRL  item  AUOfi  as  described  in 
SDl-0126-8.  The  scope  of  analysis  was  further  defined  and  clarified  by  A/*I 
personnel  during  the  5  May  1983  coordination  meeting  held  at  Tyrborach.  The 
report  contains  a  description  of  the  major  engine  components  and  their  func¬ 
tion,  statements  regarding  design  considerations  affecting  safety,  failure 
modes,  control  measures  in  effect  to  minimize  failure  effects,  and  assessrents 
of  hazard  severity  and  probability  in  accordance  with  HIL-STD-S82A. 

DESCRIPTION 

General 

The  major  conporents  of  the  T-62T-2D  are  a  turbine  engine  and  electrical  con¬ 
trol  devices.  The  turbine  engine  consists  of  a  powerplant,  accessories,  and 
associated  plumbing  and  wiring.  The  powerplant  is  divided  into  four  main  as¬ 
semblies;  turbine,  combustor,  reduction  drive,  and  accessory  drive. 

The  turbine  engine  incorporates  an  integral  lubrication  system.  The  lubricat¬ 
ing  oil  supply  is  contained  in  an  oil  sump  on  the  bottom  of  the  reduction 
drive  housing.  A  fuel  supply  must  be  connected  to  the  unit,  but  all  fuel  sys¬ 
tem  components  necessary  for  operating  the  turbine  engine  are  installed  on  the 
unit. 

An  Electronic  Sequence  Unit  (ESU)  is  provided  to  secuence  the  functions  during 
start.  In  addition,  safety  circuits  are  provided  to  shut  down  the  unit  in 
cases  of  failure  to  sequence,  overspeed,  overtemper#tur«,  or  low  oil  pressure 
conditions,  and  processor  failure.  Speed  is  sensed  from  a  signal  generated  by 
a  magnetic  pickup  installed  on  the  accessory  drive.  Exhaust  gas  temperature 
(E6T)  is  sensed  by  a  thermocouple  mounted  on  the  exhaust  end  of  the  combustor 
with  its  probe  extending  into  the  exhaust  gar>  stream. 

Engine  speed  is  controlled  by  a  droop-type  flyweight  governor  that  delivers 
the  correct  amount  of  fuel  regardless  of  the  ambient  conditions  or  load 
requirements  within  the  specified  limits. 

Starting  Is  initiated  by  ener^izing  a  starter-generator.- During  crankingi  air 
Is  drawn  into  the  compressor  portion  of  the  turbine  where  the  aii  is  com¬ 
pressed  and  then  directed  into  the  combustor.  Fuel  entering  the  combustor  from 
a  single  start  fuel  nozzle  and  a  fuel  manifold  containing  three  main  fuel  In¬ 
jectors  is  mixed  with  compressed  air  and  ignited  by  the  igniter  plug.  The 
resultant  hot  gases  flow  through  the  turbine  nozzle  and  impinge  on  the  bladps 
of  the  turbine  wheel.  Potation  of  the  turbir'e  rotor  shaft  provides  the  power 
to  drive  the  compressor  and  output  shaft  of  the  turbine  engine.  The  compres¬ 
sor  wheel,  mounted  on  the  same  shaft  as  the  turbine  wheel,  continues  to  drew 
air  into  the  compressor.  Ignition  end  start  fuel  are  cut  off  at  a  predeter- 
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mined  point.  All  fuel  is  then  supplied  through  the  three  main  fuel  injectcre. 
Conbustion  is  |i  self-sustaining  continuous  cycle  of  intake,  compression,  com¬ 
bustion,  and  exhaust  and  is  maintained  within  the  engine. 


Powerplant  Assembly 

The  ppwerplant  assembly  consists  of  a  turbine  assembly,  combustor,  reduction 
drive  assembly,  and  an  accessory  drive  assembly.  The  forward  end  of  the  air 
Inlet  portion  of  the  turbine  assembly  is  bolted  to  the  reduction  ddve  assem¬ 
bly.  The  combustor  assembly  is  clamped  to  a  flange  on  the  aft  end  of  the  air 
inlet  housing.  The  accessory  drive  assembly  is  bolted  to  the  tcp  of  the  reduc¬ 
tion  drive  assanbly. 


Turbine  Assembly 

Th,.  main  components  of  the  turbine  assembly  are  an  air  inlet  housing,  rotor 
assembly,  diffuser,  turbine  nozzle  assembly,  and  an  input  pinion. 

The  air  inlet  housing  is  a  contoured,  cylindrical  casting  with  forward  and  aft 
openings.  The  flanged  forward  end  of  the  air  inlet  housing  is  bolted  to  the 
aft  end  of  the  reduction  drive  housing.  The  aft  end  of  the  air  inlet  housing 
is  exter-nally  flanged  to  permit  attachment  of  the  combustor  assembly.  The 
housing  thus  serves  as  a  rigid  member  between  the  reduction  drive  assembly  and 
the  combustor  assembly. 


The  rotor  assembly  consists  of  a  rotor  shaft,  single-stage  centrifugal  com¬ 
pressor  wheel,  radial-inflow  turbine  wheel,  bearing  retainer  and  oil  slinger 
nut,  spacer,  forward  ball  bearing  and  aft  roller  beardng.  The  rotor  shaft  is 
mounted  in  bearings  within  a  sleeve  in  the  bore  of  the  air  inlet  housing;  the 
forward  ball  bearing  carries  thrust  and  radial  loads;  the  aft  roller  bearing 
carries  radia"*  loads  only.  Three  balls  retain  the  input  pinion  in  the  forward 
end  of  the  rotor  shaft.  The  forward  ball  bearing  is  held  in  position  by  a 
bearing  retainer  plate  and  an  oil  slinger  nut. 

The  compressor  wheel  shoulders  against  a  flange  on  the  aft  end  of  the  roto'r 
shaft.  Tlireoded  compressor  bolts  are  inserted  through  the  flange  into  the  com¬ 
pressor  wheel.  These  bolts  maintain  the  alignment  of  the  compressor  wheel  and 
secure  it  to  the  rotor  shaft.  The  turbine  wheel  is  pressed  onto  the  aft  end  of 
the  rotor  shaft  and  aligned  by  dowels.  A  threaded  bolt  fastens  the  turbine 
wheel  to  an  internally  threaded  plug  in  the  aft  end  of  the  rotor  shaft. 

A  circular,  compressor-to-turbine  air  seal  separates  the  compressor  section 
from  the  turbine  section.  The  seal  is  radially  positioned  by  a  piloting  dia¬ 
meter  on  the  »>ozz1e  assembly.  Axial  position  of  the  seal  on  the  rotor  shaft  is 
maintained  by  compressor  pressure  which  forces  the  seal  against  a  shoulder  on 
the  turbine  nozzle. 

The  cantilevered  arrangement  of  the  rotor  assembly  in  the  air  inlet  housing 
places  both  the  forward  and  aft  bearings  in  areas  of  minimum  temperature. 
Cooling  and  lubrication  of  the  rotor  shaft  bearings  is  accomplished  by  a  flow 
of  lip-oil  mist  from  the  reduction  drive  housing,  through  the  input  pinion 
(within  the  rotor  shaft),  through  the  aft  and  forward  bearings,  and  back  into 
the  reduction  drive  housing. 
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The  diffuser  Is  •  cii-cular  casting  consisting  of  venes  on  the  outer  periphery 
and  on  the  forward  face.  The  turbine  nozxle  1$  a  brazed,  matched  assembly  con¬ 
sisting  of  a  forward  circular  plate  and  an  aft  circular  plate.  The  diffuser  1$ 
secured  In  the  aft  portion  of  the  air  Inlet  housing  by  threaded  nozzle  retain¬ 
ing  pins.  These  pins  pass  through  the  diffuser  and  also  secure  the  turbine 
nozzle  assembly  concentric  with  the  rotor  assembly.  The  turbine  nozzTe  assem¬ 
bly  seats  against  a  mating  surface  of  the  diffuser  (fore  and  aft  only,  not 
radially). 

Combustor  Assembly 

The  combustor  assembly  Is  an  annular  air  atomizing  type  and  consists  of  a  com¬ 
bustor  housing,  combustor  liner,  and  nozzle  shield.  The  combustor  liner  Is 
secured  In  the  combustor  housing  by  three  locating  pins.  The  nozzle  shield  Is 
secured  to  the  combustor  liner  with  six,  self-tapping,  screws.  An  external 
flange  at  the  forward  end  of  the  combustor  housing  mates  with  an  exterr.al 
fiance  on  the  aft  end  of  the  turbine  assembly.  The  combustor  Is  secured  tc  the 
turbine  assembly  by  a  quick-release,  V-type  clamp  that  fits  ever  the  flanges. 
A  ring  on  the  outer  wall  of  the  combustor  liner  fits  snugly  under  the  inner 
aft  edge  of  the  turbine  nozzle  assembly.  The  mating  of  the  combustor  housing 
Inner  wall  with  the  aft  end  of  the  turbine  nozzle  assembly  forms  a  circular 
exhaust  duct  for  the  flow  of  exhaust  gas  as  It  passes  through  the  rotor  assem¬ 
bly  and  flows  out  of  the  engine. 

Intake  air  passes  through  the  vanes  of  the  diffuser,  flows  between  the  walls 
of  the  combustor  housing  and  liner,  and  reverses  direction  to  enter  the  burner 
section  of  the  combustor.  This  flow  of  air  cools  the  combustor  housing  and 
liner.  Air  is  also  directed  between  the  Inner  walls  of  the  combustor  housing 
and  liner,  passes  through  cooling  holes  limediately  aft  of  the  screws  that 
secure  the  nozzle  shield  to  the  combustor  liner  and  flows  up  between  the 
nozzle  shield  and  the  aft  surface  of  the  turbine  nozzle  assembly.  Additional 
cooling  of  the  turbine  nozzle  Is  accomplished  by  a  flow  of  cooling  air  that  is 
forced  around  the  aft.  Internal  edge  of  the  diffuser,  through  equally  spaced 
holes  In  the  ring  on  the  combustor  liner  assembly,  and  ever  the  aft  side  of 
the  forward  plate  of  the  nozzle  assembly. 

An  Igniter  plug,  which  1*  mounted  In  a  boss  at  the  aft,  left  side  of  the  com¬ 
bustor  housing.  Ignites  the  fuel-air  mixture  supplied  by  the  start  fuel  nczzle 
during  starting. 

Fuel  to  the  combustor  Is  supplied  through  an  external  fuel  manifold  Into  th^e 
main  fuel  Injectors  that  are  equally  spaced  on  the  combustor  housing.  The  rain 
fuel  injectors  provide  a  stream  of  fuel  Into  three  venturi  tubes  which  atom¬ 
ize  and  direct  the  fuel  Into  the  Internal  chamber  of  the  combustor  liner  for 
burning.  A  port  In  the  lowest  position  of  the  combustor  housing,  provides  for 
a  drain  for  fuel  that  may  accumulate  In  the  combustor. 

A  combustor  shroud  assembly  completely  encloses  the  rombuster  heusirg  and 
provides  a  safety  barrier  for  Isolation  and  containment  In  the  event  of 
turifine  wheel  failure. 
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Reduction  Drive  Assembly  | 

The  reduction  dHve  essembly  reduces  the  output  rotatlcnal  speed  of  the  tur¬ 
bine  issernbly  rotor  to  the  speeds  necessary  to  power  the  engine  driven  ec;u1p- 
Bient.  The  reduction  drive  housing,  wach’ned  from  «  reoneslum  casting  and 
coated  with  fire  retardant  paint,  contains  the  engine  lubrlcatlng-systew  con-  ] 

sisting  of  an  oil  pump,  oil  filter,  pressure  relief  valve,  filter  bypass 
relief  valve,  oil  jets,  oil  sump,  and  connecting  passages. 

An  Input  pinion  drives  three  planetary  gears  that  In  turn  drive  an  Internally 
spllned  ring  gear  within  the  reduction  drive.  The  ring  gear  Is  centrally 
spllned  to  a  short  output  shaft.  An  external  gear  which  Is  Integral  to  the 
output  shaft  drives  the  oil  pump  drive  gear.  Also  1>»tegral  In  the  output  shaft  • 

Is  an  Internal  spline  to  which  the  driven  equipment  Is  coupled.  The  output  I 

shaft  Is  supported  at  both  ends  by  ball  beaHngs.  Axial  positioning  of  the 
shaft  Is  provided  by  the  front  bearing  In  addition  to  carrying  most  of  the 
applied  Toads. 

To  prevent  foaming,  a  deflector  shield  Is  Installed  between  the  sump  and  gear  ; 

portions  of  the  reduction  drive  assembly  to  minimize  directed  contact  of  the  ; 

lubricating  oil  In  the  sump  and  the  rotating  gears.  Lubrication  of  the  gears 
and  bearings  Is  by  oil  jet  stream  and  splash  oil. 

The  oil  filler  cap  s  located  on  the  reduction  drive  housing.  The  oil  filler  * 
cap  Incorporates  a  chain  to  prevent  Its  loss  during  servicing. 

Accessory  Drive  Assembly 

The  accessory  drive  assembly  contains  a  cover  plate,  an  accessonr  drive  gear, 
two  oil  separator  plates,  two  ball  bearings,  and  two  seals.  The  accessory 
drive  housing  Is  bolted  to  the  top  of  the  reduction  drive  assembly.  The  | 

Intermediate  accessory  drive  gear  which  converts  the  reduction  drive  output  | 

speed  (6000  rpm)  to  the  speed  required  to  drive  the  fuel  control  assembly  I 

(4200  rpm). 

The  accessory  drive  gear  has  an  IntemaTTy  serrated  shaft  supported  by  ball  j 

bearings  within  the  housing.  The  oil  separator  plates  are  mounted  on  the  gear  I 

shaft  at  each  side  of  the  accessory  drive  gear. 

The  accessory  drive  gear  and  bearings  are  lubricated  by  splash  oil  from  the 
reduction  drive  assembly.  Seals,  mounted  In  the  housing  and  cover,  prevent  oil 
leakage. 

Bleed  Air  Valve 

An  electro -pneumatic  servo  actuated  bleed  air  valve  consists  of  a  piston-oper¬ 
ated  valve  disk  and  an  electro-pneumatic  torque  motor.  Operating  air  pressure 
for  the  butterfly  valve  piston  is  obtained  from  compressor  discharge  air 
pressure  through  a  port  in  the  valve  body. 

I 

The  air  pressure  is  controlled  by  the  electro-pneumatic  torque  motor,  which  | 

regulates  the  pneumatic  pressure  to  the  piston  In  the  bleed  air  valve,  thereby  i 

positioning  the  valve  disk.  The  valve  Is  closed  during  engine  start  and  is 
activated  prior  to  smoke  generation  by  a  switch  mounted  on  the  control  panel 
assembly. 
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Fuel  System 

The  fuel  system  consists  of  components  that  function  automatically  to  provide 
proper  engine  acceleration  and  maintain  a  near  constant  operating  speed  under 
ail  operating  conditions.  These  components  are  the  fuel  control  assembly,  fuel 
purp,  start,  main,  'and  t  axlinum  fuel  solenoid  valves,  start  fuel  noizle,  main 
fuel  Injectors,  and  fuel  manifold.  Fuel  Is  supplied  to  the  engine  from  the 
XM52  fuel  system. 

The  rain,  start,  and  raxirum  fuel  solenoid  valves  arr  hermetically  seeled 
valves  Installed  on  the  fuel  control  assembly  and  are  operated  by  an  elec¬ 
trical  Input. 

The  start  fuel  solenoid  valve  Is  a  normally  closed  valve,  energized  to  the 
open  position  at  5  percent  rated  speed  to  supply  fuel  to  the  start  fuel 
nozzle.  At  90  percent  rated  speed,  the  valve  Is  deenergized  and  shuts  off  the 
fuel  flow  to  the  start  fuel  nozzle. 

The  r.ain  fuel  solenoid  valve  Is  a  normally  closed  valve,  energized  to  the  open 
position  at  9C  percent  rated  sp*'-ed.  When  open,  the  .  valve  allows  fuel  to  flow 
to  the  main  fuel  Injectors.  Ceenergizlng  this  valve  produces  a  normal  shutdown 
of  the  engine. 

The  maximum  fuel  solenoid  valve  Is  a  normally  closed  valve  that  Is  energized 
during  engine  starting  to  minimize  the  time  required  to  reach  100  percent 
operating  speed. 

The  start  fuel  nozzle,  contained  in  a  special  fitting,  1$  located  on  the  left 
side  of  the  combustor.  Fuel  to  the  nozzle  1$  controlled  by  the  start  fuel 
solenoid  valve.  Fuel  atorndzed  by  the  nozzle  Is  Ignited  by  the  Igniter  plug, 
located  on  the  combustor  close  to,  and  directly  In  line  with,  the  start  fuel 
nozzle. 

A  start  fuel  nozzle  purge  system  prevents  buildup  of  varnish  due  to  fuel  evap¬ 
oration  during  the  period  that  fuel  Is  not  flowing  through  the  start  fuel  noz¬ 
zle  while  the  engine  1$  In  operation.  The  purge  system  consists  of  a  small 
restrictor  orifice  and  a  drain  line  In  parallel  with  the  start  fuel  nozzle. 

During  acceleration,  when  the  start  fuel  solenoid  valve  is  energized,  fuel 
flows  through  the  stari  fuel  nozzle  and  also  through  the  small  restrictor  ori¬ 
fice.  The  veiy  small  quantity  of  fuel  flowing  through  the  orifice  is  directed 
Into  a  drain  in  the  combustor  shroud.  At  90  percent  speed  the  start  fuel  sole-  , 
noid  valve  is  deenergized  and  compressor  discharge  air  flows  through  the  start 
fuel  nozzle.  In  reverse  direction  of  fuel  flow,  through  the  orifice,  and  out 
the  drain.  This  airflow  cools  the  nozzle  tip  end  purges  residual  fuel  from  the 
tip  and  thC'  .art  fuel  nozzle  line  assembly. 

Three  main  fuel  Iro'ector  assemblies  are  interconnected  and  equally  spaced 
around  the  circumference  of  the  combustor.  Each  injector  Incorporates  an  In¬ 
tegral  filter  that  provides  filtration  to  15  microns.  Fuel  Is  supplied  to  the 
;  aln  fuel  Irjectors  through  the  main  fuel  solenoid  valve  and  the  fuel  manifold. 
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The  fuel  pump  If  •  posltfve-displscenent,  gear-type  pump.  The  unit  1$  ncunted 
on  the  leK  output  pad  of  the  accessory  drive  assenbly  Inside  the  fuel  control 
assembly.  The  ruel  pump  spline  adapter  fits  Into  an  eight-point  square  drive 
In  the  shaft  portion  of  the  accessory  drive  gear.  The  other  end  of  the  fuel 
pump  drive  shaft  Is  spline  coupled  to  the  governor  drlvehead  assembly  In  the 
governor.  A  drain  port  In  the  pump  housing  drains  fuel  that  might  lieak  past 
the  pump  drive  seal  or  past  the  pressure  drop  regulating  valve  pin. 

The  acceleration  control  assembly  consists  of  the  governor  housing,  the  fuel 
control  housing,  and  t!  ^  bellows  cover  assembly. 

The  governor  housing  Includes  a  pressure  relief  valve,  a  governor  control 
spring,  a  flyweight  assembly  mounted  In  a  drlvehead  assembly,  and  a  matched 
ball  bearing  set  which  supports  the  Internally  spllned  shaft  end  of  the 
drlvehead  assembly. 

The  flyweight  assembly,  located  between  the  bearing  valve  assembly  and  the 
governor  drtvehead  assembly,  1$  pivot-mounted  against  the  governor  drlvehead 
assembly  and  the  bearing  plate  of  the  bearing  and  valve  assembly. 

The  fuel  control  housing,  which  Is  secured  to  the  forS^ard  face  of  the  governor 
housing,  contains  a  minimum  fuel  flow  orifice,  an  acceleration  needle  adjust¬ 
ment,  a  ported  fuel  metering  valve  assembly,  a  governor  adjusting  plunger,  a 
governor  tension  lever,  a  bearing  and  valve  assembly,  and  an  outlet  port. 

The  aft  end  of  the  fuel  metering  valve  extends  Into  the  fuel  control  housing. 
The  spring  retainer,  which  fits  over  the  end  of  the  fuel  metering  valve.  Is 
held  In  position  around  the  metering  valve  by  flanges  on  the  spring  retainer 
and  the  bearing  and  valve  assembly.  The  piston  of  the  bearing  and  valve  assem¬ 
bly  fits  Into  the  center  of  the  fuel  metering  valve  assembly. 

The  bellows  cover  assembly  Is  secured  to  the  top  of  the  governor  hou  ‘ng  and 
consists  of  two  Interconnected  sections.  These  sections  are  the  dlaphtagm  and 
bellows  housing,  and  a  lever  housing.  A  diaphragm  Is  Installed  between  the 
pressure  sensing  portion  of  the  belows  cover  assembly  and  the  lever  bousing 
which,  through  mechanical  connection,  operates  on  the  differential  pressure 
regulating  valve  In  the  governor  housing.  A  diaphragm  adjusting  screw  1$  In¬ 
stalled  In  the  pressure  sensing  portion  of  the  bellows  cover  assembly. 

Tkie  turbine  engine  fuel  system  plumbing  connections  are  all  located  on  the 
fuel  control  assembly  and  combustor  assembly. 

lubrication  System 

The  lubrication  system  provides  lubrication  to  the  high-speed  input  pinion, 
reduction  and  accessory  gears,  and  bearings.  The  lubrication  system  consists 
of  the  oil  pump,  oil  filter,  pressure  relief  valve,  filter  bypass  relief 
valve,  oil  pressure  switch,  oil  jet  ring,  centrifugal  oil  separator  plates, 
oil  passages,  and  oil  sump. 

The  oil  pump  consists  of  two  gear^  pinned  on  shafts  mounted  Inside  a  tv^o-piece 
housing,  which  is  secured  to  the  reduction  drive  housing.  One  oil  pump  gear 
^driver  gear)  Is  pinned  to  the  oil  pump  drive  shaft.  The  other  gear  (driven 
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gearS  fs  pinned  to  the  oil  pump  driven  shaft.  A  third  gear,  the  oil  pump  drive 
gear,  is  pinned  and  secured  with  a  nut  to  the  end  of  the  pump  drive  sh«ft  Just 
outjfdle  the  oil  pump  housing,  and  is  driven  b>  the  reduction  gear  train. 

The  oil  filter  consists  of  a  filter  housing  in  the  reduction  drive,  a  ncciral 
10-ffteron  disposable  filter  element,  and  a  bypass  relief-valve  housing  that 
serves  as  a  cap  for  the  filter  element.  The  cap  (relief  valve  housing)  incor¬ 
porates  a  spring-loaded,  ball-type,  bypass  relief  valve. 

The  oil  pressure  switch  incorporates  normally  closed  contacts  that  actuate  at 
6^1  psig  oil  pressure.  After  the  engine  is  operating  at  or  above  90  percent 
raTed  speed,  oil  pressure  below  6^1  psig  closes  the  contacts  in  the  switch 
and  initiates  a  low  oil  pressure  rngine  shutdown.  Visual  Indication  is  pro¬ 
vided  to  note  this  occurrence. 

The  pressure  relief  valve  is  a  spring-leaded,  ball-type  relief  valve,  inter¬ 
nally  mounted  in  the  main  oil  gallery.  The  valve  regulc  :s  the  system  oil 
pressure  at  IS  to  <0  psig  by  bypassing  a  portion  of  the  pump  output  to  the 

Two  centrifugal  oil  separator  plates  are  mounted  oh  the  sides  of  the  accessory 
drive  gear  in  the  top  of  tie  reduction  drive  bousing.  The  plates  remove  the 
oil  from  the  air-oil  mist  in  the  reduction  cearbex  before  the  air  is  vented  to 
atrosphere. 


The  oil  jet  ring  is  located  in  the  bearing  carrier  assembly  for  the  planetary 
gear  system.  The  jet  ring  encircles  the  high-speed  input  pinion  and  provides 
three  jets  of  oil  that  are  directed  at  the  mesh  points  of  the  input  pinion  and 
planetary  gears. 


I  riectn’cal  System 

The  engine-mounted  components  of  the  electrical  system  are  the  thermocouple, 
ignition  exciter,  ignition  cable,  spark  plug,  hourmeter,  start  counter, 
magnetic  pickup,  oil  pressure  switch,  and  three  fuel  solenoid  valves.  Descrip¬ 
tions  of  the  oil  pressure  switch  and  fuel  solenoid  valves  art  included  with 
the  lubrication  and  fuel  systems,  respectively.  Other  electrical  system  com- 
j  ponents,  lights,  switches,  etc.  are  mounted  on  the  control  panel  assembly. 

A  single  element,  chrome! /alumel  thermocouple  extends  into  the  exhaust  stream 
and  senses  engine  exhaust  gas  temperature.  The  output  signal  of  the  thermo¬ 
couple  Is  transmitted  to  the  ESU.  If  overtemperature  is  sensed  the  ESU  will 
shut  down  the  engine.  The  thermocouple  is  a  component  of  the  engine  harness 
assembly. 

The  ignition  exciter  is  bolted  to  the  turbine  assembly  housing.  This  capacitor 
discharge-type  exciter  converts  direct  current  input  to  a  high-energy  charge 
which  is  supplied  to  the  spark  plug  for  fuel  ignition. 

The  ignition  cable  connects  the  ignition  exciter  to  the  spark  plug.  The  high- 
energy  pulse  from  the  exciter  to  the  plug  is  supplied  through  the  Ignition 
i  cable.  The  cable  protected  by  a  flexible  metal  shielding. 

I 

I 

I 
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A  s^unted-gap  type  spark  plug  fs  threaded  frto  a  hcss  In  the  left-hand,  aft 
section  of  the  conbustor.  The  plug  provides  the  spark  necessary  for  Initial 
Ignition  of  fuel  during  the  starling  phase  of  engine  rperatlcn. 

The  hourrreter  Indicates  total  accutrulated  hours  of  engine  operation.  This 
reter  Is  Installed  on  the  hcunreter  and  electrical  connector  rountlng  hracket, 
located  on  the  upper  left  side  of  the  reduction  drive  and  operates  on  14  to  30 
volts  dc. 

The  start  counter  Indicates  the  accunuleted  r.uirter  of  starts  trade  on  the  en¬ 
gine.  The  counter  Is  mounted  on  the  same  bracket  as  the  hcurmeter. 

The  magnetic  pickup  Is  Installed  on  the  accessory  drive  assembly.  The  rrignetlc 
pickup  generates  a  frequency  output  as  the  accessory  drive  gear  passes  through 
the  ngnetlc  field  surrounding  the  pole  piece  at  the  sensing  end  of  the 
pickup.  The  frequency  output  Is  then  transmitted  to  the  ESU.  An  underspced  or 
overspeed  condition  detected  by  the  ESU  v.ill  result  in  an  engine  shutdown. 

The  ESU  Is  a  microprocessor  that  Is  prograrr'-ed  to  control  and  Initiate  a  sequ¬ 
ence  of  events  necessary  for  the  satisfoctory  operation  of  the  engine.  Control 
Is  achieved  by  continuous  monitoring  of  engine  speed  and  exhaust  gas 
temperature  by  the  microprocessor. 

Before  the  microprocessor  Instructs  the  ESU  to  initiate  a  required  event,  it 
compares  Input  data  Just  received  against  programmed  data  representing  limit 
conditions  for  the  required  event.  From  the  lesult  of  this  comparison  and 
program  logic,  the  ESU  will  initiate  the  next  event  or  a  malfunction  sh-utdcwn. 

Functions  controlled  by  this  logic  are  engine  start  sequence  to  operation, 
malfunction  Indication  and  shutdown  during  start  and  engine  operation.  The 
logic  also  sequences  Itself  to  restart  condition  on  reapplication  of  power  to 
the  system  after  shutdown.  In  addition  to  sequencing  and  protecting  the 
engine,  the  ESU  provides  engine  condition  monitoring  for  fault  Isolation. 

The  BITE  indicators  Incorporated  In  the  panel  assembly  provide  a  visual 
Indication  of  the  malfunction  that  occurred  at  the  time  of  unscheduled 
shutdown. 

An  RPK  meter  is  furnished  to  Indicate  engine  speed,  expressed  in  percent  rpm 
from  0  to  1?0.  The  meter  Is  a  long-scale  instrument,  having  minor  graduation 
of  two  percent.  At  rated  engine  speed,  and  with  load,  the  pointer  Indicates 
100  percent. 

The  E6T  (exhaust  gas  temperature)  meter  furnished  with  the  engine  Is  a  stan¬ 
dard  thermocouple-type  temperature  indicator  graduated  from  2ero  to  1500’F. 
Its  Input  signal  Is  received  from  the  same  theimocouple  as  the  temperature 
sensor. 

HAZARD  COKTPOL  CCNSIDERATICK'S 


The  T-62T-2D  engine  system  designated  fc**  use  In  the  »'52  Smoke  Generator  pro¬ 
gram  was  designed  to  provide  bleed  air  and  to  operate  at  speed  and  ter^ierature 
ranges  well  within  the  capability  of  the  unit.  The  combination  of  a  corserva- 
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tive  design  approach,  ojallty  control,  selection  of  r4tcr1o1t,  and  Incorpcro- 
tion  of  engine  condition  sensing  devices  which  Initlett  Citglne  sKitdoMi  for 
out  of  tolerance  conditions  render  haaartl  severities  of  potential  hatardt  to 
Category  III  -  Mrginal  or  Category  lY  -  minor  designations  In  Kccrianct  irftli 
MIL>ST0>862A.  Hazard  probabilities  associated  with  this  enfint  fall  Into 

either  level  C  -  occa-sicr.al  or  level  0  -  remote.  This  otans  that  fotco* 
tial  hazard  Iters  having  loth  hazard  probability  C  and  hazard  severity  III 
wiVi  fall  into  a  region  of  acceptability  not  requlrlof  a%  redeslfa 
consideration.  Table  1  contains  a  sumrary  of  the  failuro  node  aealysis. 

regarding  possible  hazards,  including  inherent  failure  rates,  control  oeascres 
to  minimize  failure  effects,  and  assess'onts  of  hazard  severities  and 

probabilities. 

The  conclusion  reached  at  Turbc~.ach  based  upon  analysis  of  the  T>€2T-20  engine 
design  and  upon  field  service  data,  test  and  operating  experience  on  similar 
Titan  engines  is  that  the  T-62T-2D  engine  can  be  operated  safely  for  the  X>»52 
S“oke  Generator  application. 

All  k  okrti  hazards  associated  with  the  T-62T-2D  engine  operation  have  been 
considered  and  the  probability  of  their  occurrence  and  of  their  severity  hat« 
been  essentially  eliminated  through  the  appplication  of  a  ccunservative  design 
approach  and  the  use  of  safety  devices  to  protect  the  engine  from  unsafe 

operation. 

The  conservative  design  approach  is  to  keep  operating  stresses  to  a  mlnlru* 
for  all  engine  components  containing  fuel,  lube  oil,  or  combustion  gases  under 
pressure. 

Hazards  associated  with  high  speed  rotating  machinery  are  minimized  by 
applying  a  very  conservative  rotor  design.  The  success  of  this  approach  is 
documented  in  a  Solar  (Turbomach)  engineering  report.  With  respect  to  the 
T-62T-2D  engine  a  two-piece  combustor  shroud  is  used  to  provide  an  additional 
containment  barrier  in  the  event  of  turbine  failure.  Overspeed  and 
overtemperature  safety  devices  are  provided  to  sense  out  of  tolerance 
conditions  which  may  be  caused  by  a  rotating  part  failure. 

The  ESU  is  a  microprocessor  unit  that  is  programmed  to  control  and  monitor  the 
engine.  ESU  control  functions  include  engine  start  sequence  through  to 
operation,  and  malfunction  indication  and  shutdown  during  start,  and  during 
operation.  The  BITE  indicators  incorporated  into  the  Control  Panel  Assembly 
provides  a  visual  indication  of  the  malfunction  that  occurred  at  the  time  of 
an  unscheduled  shutdown.  These  indications  include  overspeed,  overtemperature 
(high  EGT),  and  low  oil  pressure  conditions.  In  addition,  indications  of-  t  me 
out  (start  sequence  failure)  and  processor  failure  (ESU  internal  failure)  are 
provided. 

HAZARD  COKTPOl  SUh^ARY 
Power  Section 


IT.3  T-62T-2D  power  section  is  provided  with  an  overspeed  sensing  device  which 
initiates  autcxT.atic  engine  shutdown  before  it  can  achieve  destructive  speed 
levels.  Cvertemperature  and  low  oil  pressure  sensors  are  also  provided  to 
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cause  autocratic  enjfne  sh’Jtcfojm  for  out  of  tcV;i;v:e  ccndltlcns.  Turbine  ‘.J-col 
contalrnent  1$  achieved  by  the  selection  of  riterlals  with  p?ys1cal  prcpc-rtlos 
conducive  to  high  margins  of  safety  at  engine  '.pcrating  ccnditlons.  Structural 
details  of  the  turbine  nozzle  essc^bly,  cc^bustor  lirc-r,  co  buster  bousing, 
and  combustor  shroud  provMe  a  scries  of  cciKer.trlc  barriers  for  the 
contalment  of  fragments  which  may  result  from  a  failed  wheel  and  -for  the 
dissipation  of  the  kinetic  energy  from  such  a  failure. 

A  c.vsbustor  drain  Is  provided  to  permit  draining  of  ar\y  urburned  fuel  during 
engine  shutdown. 

A  fuel  drain  tarJt  assembly  Is  provided  to  collect  any  residual  fuel,  lube  oil, 
or  water  condensation  accumulated  during  engine  operation.  These  residuals  are 
aspirated  from  the  drain  tank  to  the  engine  exhaust  using  xy£2  system  ngulp- 

icnt* 

The  reduction  drive  and  accessciy  drive  housings  are  designed  to  contain  all 
cemporents  in  the  event  of  a  malfunction  of  the  U'>e  oil  pump  or  possible 
tearing,  or  shaft  failures. 

ruel  Sjfstem 

Cracked  or  broken  fuel  lines  ray  allow  fuel  to  leak.  Periodic  Inspection  Is 
recorrended  to  check  for  the  occurrence  of  this  hazard.  Should  a  major  leak 
xcur  during  operation  the  engine  will  shutdewn  due  to  fuel  starvation  (flame 
out),  or  by  the  action  of  the  speed  sensing  device  detecting  an  underspeed 
condition. 

lubrication  System 

A  cracked  or  broken  oil  drain  line  may  allow  lube  oil  to  escape.  Periodic  In¬ 
spection  1$  reconmended  to  check  for  this  occurrence.  Less  of  oil  due  to  this 
condition  or  due  to  a  malfunctioning  oil  pump,  cracked  oil  passages,  or  breaks 
In  the  reduction  drive  housing  will  cause  an  automatic  engine  shutdown  due  to 
a  low  oil  pressure  condition  detected  by  the  oil  pressure  sensor. 

Electrical  System 

A  single  element  themocouple  extends  Into  the  exhaust  gas  st.  :am  and  senses 
the  engine  exhaust  gas  temperature.  An  overtemperature  condition  sensed  by  the 
thermocouple  will  Initiate  an  automatic  engine  shutdown,  .he  thermocouple  Is  a 
component  of  the  engine  harness  assembly. 

The  Ignition  exciter  Is  designed  to  safely  bleed  off  internal  high  voltages. 
Personnel  shock  hazard  1$  avoided  by  eliminating  stored  high  voltage  electri¬ 
cal  potential  form  the  Ignition  system. 

Electronic  Seouence  Unit  (ESI/) 


The  heart  of  the  ESU  Is  a  cicroprccesscr  that  Is  prcg.anred  to  control  and 
Initiate  a  sequence  of  events  necessary  for  engine  operation.  The  ESU  contin¬ 
uously  monitors  engine  conditions  such  as  speed,  E6T,  and  oil  pressure. 
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Sefow  tit  mitnpmtttor  tnsttwti  ««  tSU  to  InlUUe  »  required  evcot.  tj« 
ntmunracottor  cof.iotrt*  liiout  dati  Just  rt-cclved  pre^pS' ,,.cd  da.a 

reuelonttng  Unit  condtticrs  for  the  required  event,  from  the  result  of  this 
coS^eriJon  end  p-ogre.!.  logic,  the  fSU  will  Inltl.ie  the  next  ovont  or  e  r..1- 
fuiitlon  shutdom,  Ihe  fdU  ..111  also  tnttUte  e  shut*.-n  In  the  event  of  an 
InUroal  processor  failur*. 

Falittrel  Modes  Analysis 

TaMe  1  shows  a  surr.ary  of  fall-ji'e  nodes  which  r.ay  bear  upon  poyjble  hazard 
conditions.  Designations  for  hazard  probabilities  and  hazard  severities  are  in 
acc®rdar<e  with  MIL-STD-8S2A. 


’’ahTe  1«  Failure  Mode  Analysis  SuMMary 


conservative  design, 
periodic  Inspection. 
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